diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 540b1389a..1c6c715df 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -533,6 +533,14 @@ static void wnm_send_bss_transition_mgmt_resp(
 	if (target_bssid) {
 		os_memcpy(pos, target_bssid, ETH_ALEN);
 		pos += ETH_ALEN;
+	} else if (status == WNM_BSS_TM_ACCEPT) {
+		/*
+		 * P802.11-REVmc clarifies that the Target BSSID field is always
+		 * present when status code is zero, so use a fake value here if
+		 * no BSSID is yet known.
+		 */
+		os_memset(pos, 0, ETH_ALEN);
+		pos += ETH_ALEN;
 	}
 
 	len = pos - (u8 *) &mgmt->u.action.category;
@@ -574,7 +582,7 @@ void wnm_scan_response(struct wpa_supplicant *wpa_s,
 			wnm_send_bss_transition_mgmt_resp(wpa_s,
 						  wpa_s->wnm_dialog_token,
 						  WNM_BSS_TM_ACCEPT,
-						  0, NULL);
+						  0, bssid);
 		}
 
 		wpa_s->reassociate = 1;