Cyber Resilience

CVE-2024-25389

High

Published: 27 March 2024

Published
27 March 2024
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0034 57.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-25389 is a high-severity PRNG (CWE-338) vulnerability in Rt-Thread Rt-Thread. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Reduce Key Space (T1600.001); ranked in the top 42.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

RT-Thread through 5.0.2 generates random numbers with a weak algorithm of "seed = 214013L * seed + 2531011L; return (seed >> 16) & 0x7FFF;" in calc_random in drivers/misc/rt_random.c.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1600.001 Reduce Key Space Defense Impairment
Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.
Why these techniques?

Weak random number generator uses a predictable linear congruential generator with low entropy, reducing the effective key space for cryptographic operations relying on it (e.g., nonces, keys), enabling adversaries to more easily break encryption.

Affected Assets

rt-thread
rt-thread
≤ 5.0.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-338

Security associations share details on cryptographically weak PRNGs, helping avoid their implementation in security-critical functions.

addresses: CWE-338

Cryptographic key management standards require cryptographically strong PRNGs for key material, blocking use of weak generators.

References