CVE-2025-44647 – This vulnerability allows attackers to conduct ... (How to Fix)

📋 TL;DR

This vulnerability allows attackers to conduct offline brute-force attacks against the TRENDnet TEW-WLC100P wireless LAN controller's VPN configuration. By exploiting IKEv1 Aggressive Mode with Pre-Shared Keys, attackers can capture and crack the PSK hash transmitted in the clear. This affects all users of TRENDnet TEW-WLC100P version 2.03b03 with strongSwan VPN enabled.

💻 Affected Systems

Products:

TRENDnet TEW-WLC100P

Versions: 2.03b03

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with strongSwan VPN configured and using IKEv1 with PSK authentication.

📦 What is this software?

Tew Wlc100p Firmware by Trendnet

View all CVEs affecting Tew Wlc100p Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete VPN compromise allowing unauthorized network access, data interception, and potential lateral movement into connected networks.

🟠

Likely Case

VPN credential theft leading to unauthorized VPN access and potential man-in-the-middle attacks on VPN traffic.

🟢

If Mitigated

Limited to failed authentication attempts if strong PSKs are used and network monitoring detects brute-force attempts.

🌐 Internet-Facing: HIGH - VPN endpoints exposed to the internet are directly vulnerable to remote attacks.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this but require network access to capture IKE traffic.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires capturing IKEv1 Aggressive Mode handshake packets, then offline PSK hash cracking.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: http://tew-wlc100p.com

Restart Required: No

Instructions:

1. Access TRENDnet TEW-WLC100P web interface
2. Navigate to VPN settings
3. Disable IKEv1 Aggressive Mode
4. Use IKEv2 or Main Mode instead
5. Consider switching to certificate-based authentication

🔧 Temporary Workarounds

Disable IKEv1 Aggressive Mode

linux

Modify strongSwan configuration to disable aggressive mode and enforce main mode

Edit /etc/ipsec.conf or equivalent config file
Set 'aggressive=no' in conn sections
Restart strongSwan service

Enforce Strong PSK

all

Use complex, long pre-shared keys to make offline cracking impractical

Generate 32+ character random PSK
Update PSK on all VPN endpoints

🧯 If You Can't Patch

Segment VPN traffic to isolated network segment
Implement network monitoring to detect IKEv1 Aggressive Mode handshakes

🔍 How to Verify

Check if Vulnerable:

Check strongSwan configuration file for 'i_dont_care_about_security_and_use_aggressive_mode_psk=yes' or aggressive mode enabled in conn definitions.

Check Version:

Check web interface or use 'ipsec --version' on device CLI

Verify Fix Applied:

Verify aggressive mode is disabled in configuration and test VPN connection uses Main Mode or IKEv2.

📡 Detection & Monitoring

Log Indicators:

IKEv1 Aggressive Mode handshake attempts
Multiple failed authentication attempts from single source

Network Indicators:

IKEv1 Aggressive Mode packets (UDP port 500)
PSK hash in cleartext during handshake

SIEM Query:

source_port:500 AND protocol:udp AND (packet_content:"aggressive" OR packet_content:"hash")

📊 Metadata

CVE ID: CVE-2025-44647

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-1188

EPSS Score: 0.06% exploit probability (20th percentile)

Published: July 21, 2025

Last Updated: August 7, 2025

🔗 References

http://tew-wlc100p.com Broken Link
https://gist.github.com/TPCchecker/18c32439ed13feaed99f8229d1749892 Broken Link
https://www.notion.so/CVE-2025-44647-24754a1113e780b0a130d4439861bf3c Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-44647, you might also want to check these: