CVE-2026-63089

wg-easy · wg-easy

WireGuard Easy contains a cryptographically weak one-time link token generation vulnerability, allowing unauthenticated attackers to brute-force credentials and impersonate VPN peers.

Executive summary

A critical vulnerability in WireGuard Easy allows unauthenticated attackers to recover sensitive VPN peer credentials through brute-force exploitation of weak token generation.

Vulnerability

The application utilizes a cryptographically weak pseudo-random number generator, specifically CRC32 on a constrained range, to create one-time link tokens. This flaw, combined with a lack of rate limiting on the unauthenticated /cnf/:oneTimeLink route, allows an unauthenticated attacker to brute-force the small keyspace and obtain private cryptographic keys.

Business impact

The successful exploitation of this vulnerability results in full compromise of VPN peer credentials. This grants unauthorized attackers the ability to impersonate legitimate users on the internal network, leading to potential data exfiltration, lateral movement, and total loss of confidentiality regarding encrypted VPN traffic. The CVSS score of 9.3 reflects the severe risk to network integrity and the ease of exploitation for unauthenticated remote actors.

Remediation

Immediate Action: Upgrade to the latest version of wg-easy, or specifically apply the fix provided in commit 66b292b11bde3664f05ffb016c8082665d261ded.

Proactive Monitoring: Review web access logs for high volumes of requests directed at the /cnf/ endpoint, which may indicate automated brute-force attempts.

Compensating Controls: Implement strict network access control lists (ACLs) to limit exposure of the management interface to trusted administrative IP addresses only.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the critical severity and the ease with which an attacker can bypass authentication to harvest VPN credentials, immediate remediation is required. Organizations must prioritize patching their WireGuard Easy instances to the fixed version to prevent unauthorized network access and potential data exposure.