Let's assume that one client contains malware, and that it belongs to a Wi-Fi network protected with WPA2/Personal (hence, via a password known to the piece of malware), where some other vulnerable clients are present.
I can activate some filtering or other security measures in the Wi-Fi Access Point, so that any malicious traffic from the rogue device is blocked.
Still, I understand that the rogue device is theoretically able with some sniffing to figure out the unique key (PTK) any other client in the network shares with the AP.
With that key, can the rogue device try attack (e.g. probe for vulnerabilities) the other devices, fully bypassing the AP? How does that scenario look like?