diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
index 5ce521657c936..449a590262c27 100644
--- a/nixos/doc/manual/release-notes/rl-2505.section.md
+++ b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -134,6 +134,9 @@
 
 - `vscode-utils.buildVscodeExtension` now requires pname as an argument
 
+- The behavior of `services.hostapd.radios.<name>.networks.<name>.authentication.enableRecommendedPairwiseCiphers` was changed to not include `CCMP-256` anymore.
+  Since all configured pairwise ciphers have to be supported by the radio, this caused startup failures on many devices which is hard to debug in hostapd.
+
 - `nerdfonts` has been separated into individual font packages under the namespace `nerd-fonts`. The directories for font
   files have changed from `$out/share/fonts/{opentype,truetype}/NerdFonts` to
   `$out/share/fonts/{opentype,truetype}/NerdFonts/<fontDirName>`, where `<fontDirName>` can be found in the
diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix
index 82ece277f1875..8635dea738ce2 100644
--- a/nixos/modules/services/networking/hostapd.nix
+++ b/nixos/modules/services/networking/hostapd.nix
@@ -11,7 +11,6 @@ let
     attrNames
     attrValues
     concatLists
-    concatMap
     concatMapStrings
     concatStringsSep
     count
@@ -34,11 +33,9 @@ let
     mkOption
     mkPackageOption
     mkRemovedOptionModule
-    optional
     optionalAttrs
     optionalString
     optionals
-    singleton
     stringLength
     toLower
     types
@@ -710,7 +707,7 @@ in {
 
                     pairwiseCiphers = mkOption {
                       default = ["CCMP"];
-                      example = ["CCMP-256" "GCMP-256"];
+                      example = ["GCMP" "GCMP-256"];
                       type = types.listOf types.str;
                       description = ''
                         Set of accepted cipher suites (encryption algorithms) for pairwise keys (unicast packets).
@@ -719,7 +716,8 @@ in {
 
                         Please refer to the hostapd documentation for allowed values. Generally, only
                         CCMP or GCMP modes should be considered safe options. Most devices support CCMP while
-                        GCMP is often only available with devices supporting WiFi 5 (IEEE 802.11ac) or higher.
+                        GCMP and GCMP-256 is often only available with devices supporting WiFi 5 (IEEE 802.11ac) or higher.
+                        CCMP-256 support is rare.
                       '';
                     };
 
@@ -906,7 +904,7 @@ in {
                   bssCfg = bssSubmod.config;
                   pairwiseCiphers =
                     concatStringsSep " " (unique (bssCfg.authentication.pairwiseCiphers
-                      ++ optionals bssCfg.authentication.enableRecommendedPairwiseCiphers ["CCMP" "CCMP-256" "GCMP" "GCMP-256"]));
+                      ++ optionals bssCfg.authentication.enableRecommendedPairwiseCiphers ["CCMP" "GCMP" "GCMP-256"]));
                 in {
                   settings = {
                     ssid = bssCfg.ssid;