Skip to main content

TRENDnet TEW-WLC100P CVE-2025-44649

HIGH
Cleartext Storage of Sensitive Information (CWE-312)
2025-07-21 cve@mitre.org
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Identity/PSK-hash exposure is remotely observable or triggerable with no auth (AV:N/AC:L/PR:N); confidentiality-only impact (C:H, I/A:N), matching the information-disclosure nature and no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 01:37 vuln.today

DescriptionCVE.org

In the configuration file of racoon in the TRENDnet TEW-WLC100P 2.03b03, the first item of exchage_mode is set to aggressive. Aggressive mode in IKE Phase 1 exposes identity information in plaintext, is vulnerable to offline dictionary attacks, and lacks flexibility in negotiating security parameters.

AnalysisAI

Cleartext identity exposure in the TRENDnet TEW-WLC100P wireless controller (firmware 2.03b03) stems from its bundled racoon IKE daemon shipping with aggressive mode as the first exchange_mode entry. Because IKE Phase 1 aggressive mode transmits identity payloads in plaintext and sends a hash of the pre-shared key that can be captured, any party observing or initiating a negotiation can harvest identities and mount offline dictionary attacks against the PSK. No public exploit identified at time of analysis and the EPSS probability is low (0.27%, 19th percentile), consistent with a configuration-hardening weakness rather than a mass-exploited flaw.

Technical ContextAI

The affected component is racoon, the IKEv1 key-management daemon (historically from the ipsec-tools/KAME project) used to establish IPsec Security Associations. IKE Phase 1 supports two exchange modes: main mode, which protects identity payloads inside an encrypted exchange, and aggressive mode, which compresses the handshake into three messages and sends the initiator/responder identity and a PSK-derived hash before an encrypted channel is established. Setting aggressive as the first exchange_mode in racoon.conf makes the device negotiate this weaker mode. This maps to CWE-312 (Cleartext Storage/Transmission of Sensitive Information): the identity and the material enabling a PSK guessing attack are exposed without confidentiality protection. The single affected build is identified by cpe:2.3:o:trendnet:tew-wlc100p_firmware:2.03b03.

RemediationAI

No vendor-released patch identified at time of analysis; check TRENDnet for a firmware update superseding 2.03b03 before deploying compensating controls. The primary compensating control is to reconfigure the racoon daemon to remove aggressive mode and use main mode exclusively - edit racoon.conf so exchange_mode is set to main (removing or reordering the aggressive entry), which protects identity payloads and eliminates the offline PSK hash exposure, at the cost of a slightly slower Phase 1 handshake and potential incompatibility with peers that only support aggressive mode. If aggressive mode cannot be disabled (for example, when a remote peer requires it), enforce a long, high-entropy pre-shared key or migrate to certificate-based authentication to defeat offline dictionary attacks, and restrict IKE/IPsec (UDP 500/4500) reachability to known peer IPs via firewall rules to limit who can initiate or observe negotiations. Consult the researcher writeups (the GitHub gist and Notion page above) for configuration specifics, but validate any change against vendor guidance since these are not official advisories.

Share

CVE-2025-44649 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy