SYS::ONLINE
Wasteland.
Briefs1223
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-63089 2026-07-16

WireGuard Easy Weak Token Flaw Exposes VPN Peer Credentials (CVE-2026-63089)

"A cryptographically weak one-time link token in WireGuard Easy (wg-easy) lets unauthenticated network attackers brute-force and steal VPN peer credentials, earning a CVSS 9.3 CRITICAL rating."

A cryptographically weak one-time link token in WireGuard Easy (wg-easy) lets unauthenticated network attackers brute-force and steal VPN peer credentials, earning a CVSS 9.3 CRITICAL rating.

What Is It

CVE-2026-63089 is a weak random-value token generation flaw in WireGuard Easy through version 15.3.0. The application's one-time link token is computed using CRC32 over a random value constrained to the range 0–999, producing a keyspace of at most 1000 candidate tokens per client ID. Because the tokens are predictable, an unauthenticated attacker can enumerate candidates against the /cnf/:oneTimeLink route. That route lacks rate limiting and does not validate token expiration, allowing brute-force recovery of a peer's PrivateKey and PresharedKey. The vulnerability is classified under CWE-338 (weak PRNG) and CWE-613 (insufficient session expiration).

Why It Matters

With valid credentials in hand, an attacker can impersonate a legitimate peer on the VPN network; directly undermining the confidentiality the VPN is meant to provide. The flaw is network-exploitable (AV:N), requires low attack complexity (AC:L), and needs no privileges or user interaction. The VulnCheck advisory assigns a CVSS 3.1 base score of 9.3 (CRITICAL) with a scope change, reflecting that a compromised token grants access to resources beyond the vulnerable component itself. A CVSS 4.0 score of 9.0 is also recorded.

What's Vulnerable

Patch Status

The issue is fixed in commit 66b292b11bde3664f05ffb016c8082665d261ded, delivered via pull request #2661. Administrators running wg-easy 15.3.0 or earlier should upgrade to a build containing this fix. No CISA KEV entry was supplied, so active exploitation is not confirmed in this source material.

Sources