Skip to main content

TRENDnet TEW-WLC100P CVE-2025-44647

HIGH
Initialization of a Resource with an Insecure Default (CWE-1188)
2025-07-21 cve@mitre.org
7.3
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
5.3 MEDIUM

Network-reachable default-enabled Aggressive Mode leaks the PSK hash (C:L); integrity/availability impact is only realized after a separate offline PSK crack, so I:N/A:N at base.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 01:32 vuln.today

DescriptionCVE.org

In TRENDnet TEW-WLC100P 2.03b03, the i_dont_care_about_security_and_use_aggressive_mode_psk option is enabled in the strongSwan configuration file, so that IKE Responders are allowed to use IKEv1 Aggressive Mode with Pre-Shared Keys to conduct offline attacks on the openly transmitted hash of the PSK.

AnalysisAI

Pre-Shared Key hash disclosure affects the TRENDnet TEW-WLC100P wireless LAN controller running firmware 2.03b03, whose bundled strongSwan configuration ships with the i_dont_care_about_security_and_use_aggressive_mode_psk option enabled by default. Because the IKE responder accepts IKEv1 Aggressive Mode with PSK, it transmits the PSK hash in the clear during negotiation, letting a network-positioned attacker capture it and mount an offline dictionary/brute-force crack to recover the VPN pre-shared secret. There is no public exploit identified at time of analysis, no CISA KEV listing, and EPSS is low (0.36%), reflecting an information-disclosure weakness rather than direct remote code execution.

Technical ContextAI

The affected component is strongSwan, an open-source IPsec/IKE daemon embedded in the TEW-WLC100P firmware. IKEv1 has two phase-1 negotiation modes: Main Mode, which protects the identity and PSK-derived material inside an encrypted exchange, and Aggressive Mode, which sends the responder's PSK hash (an HMAC over known/observable values plus the shared secret) in only three unencrypted messages. strongSwan deliberately gates this legacy behavior behind the intentionally alarming flag name i_dont_care_about_security_and_use_aggressive_mode_psk; TRENDnet enabled it in the shipped config. The root cause is classified as CWE-1188 (Insecure Default Initialization of Resource) - the device is delivered in an insecure state without the operator opting in. Once the hash is captured, tools such as ike-scan/psk-crack or hashcat can grind candidate passphrases offline at high speed, with no further interaction with the device.

RemediationAI

No vendor-released patch identified at time of analysis, and no fixed firmware version is enumerated in the available data. The primary compensating control is to disable IKEv1 Aggressive Mode on the device: set i_dont_care_about_security_and_use_aggressive_mode_psk=no (or remove it) in the strongSwan configuration and require IKEv1 Main Mode or migrate to IKEv2, which does not expose PSK hashes this way - the trade-off is that legacy peers that only support Aggressive Mode will fail to connect. If Aggressive Mode cannot be removed, replace any short/dictionary PSK with a long high-entropy random pre-shared key (or move to certificate-based authentication) so that a captured hash is computationally infeasible to crack, and restrict IKE/IPsec (UDP 500/4500) exposure to known peer IPs via firewall ACLs to limit who can solicit the hash. Monitor for a TRENDnet firmware update addressing CVE-2025-44647 and apply it once released; consult the researcher references above for exploitation details in the interim.

Share

CVE-2025-44647 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy