TRENDnet TEW-WLC100P CVE-2025-44649
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identity/PSK-hash exposure is remotely observable or triggerable with no auth (AV:N/AC:L/PR:N); confidentiality-only impact (C:H, I/A:N), matching the information-disclosure nature and no scope change.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
In the configuration file of racoon in the TRENDnet TEW-WLC100P 2.03b03, the first item of exchage_mode is set to aggressive. Aggressive mode in IKE Phase 1 exposes identity information in plaintext, is vulnerable to offline dictionary attacks, and lacks flexibility in negotiating security parameters.
AnalysisAI
Cleartext identity exposure in the TRENDnet TEW-WLC100P wireless controller (firmware 2.03b03) stems from its bundled racoon IKE daemon shipping with aggressive mode as the first exchange_mode entry. Because IKE Phase 1 aggressive mode transmits identity payloads in plaintext and sends a hash of the pre-shared key that can be captured, any party observing or initiating a negotiation can harvest identities and mount offline dictionary attacks against the PSK. No public exploit identified at time of analysis and the EPSS probability is low (0.27%, 19th percentile), consistent with a configuration-hardening weakness rather than a mass-exploited flaw.
Technical ContextAI
The affected component is racoon, the IKEv1 key-management daemon (historically from the ipsec-tools/KAME project) used to establish IPsec Security Associations. IKE Phase 1 supports two exchange modes: main mode, which protects identity payloads inside an encrypted exchange, and aggressive mode, which compresses the handshake into three messages and sends the initiator/responder identity and a PSK-derived hash before an encrypted channel is established. Setting aggressive as the first exchange_mode in racoon.conf makes the device negotiate this weaker mode. This maps to CWE-312 (Cleartext Storage/Transmission of Sensitive Information): the identity and the material enabling a PSK guessing attack are exposed without confidentiality protection. The single affected build is identified by cpe:2.3:o:trendnet:tew-wlc100p_firmware:2.03b03.
RemediationAI
No vendor-released patch identified at time of analysis; check TRENDnet for a firmware update superseding 2.03b03 before deploying compensating controls. The primary compensating control is to reconfigure the racoon daemon to remove aggressive mode and use main mode exclusively - edit racoon.conf so exchange_mode is set to main (removing or reordering the aggressive entry), which protects identity payloads and eliminates the offline PSK hash exposure, at the cost of a slightly slower Phase 1 handshake and potential incompatibility with peers that only support aggressive mode. If aggressive mode cannot be disabled (for example, when a remote peer requires it), enforce a long, high-entropy pre-shared key or migrate to certificate-based authentication to defeat offline dictionary attacks, and restrict IKE/IPsec (UDP 500/4500) reachability to known peer IPs via firewall rules to limit who can initiate or observe negotiations. Consult the researcher writeups (the GitHub gist and Notion page above) for configuration specifics, but validate any change against vendor guidance since these are not official advisories.
More in Tew Wlc100P Firmware
View allSame weakness CWE-312 – Cleartext Storage of Sensitive Information
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today