Cyber Resilience

CVE-2025-15444

Critical

Published: 06 January 2026

Published
06 January 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0023 13.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-15444 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Iamb Crypt\. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-15444 affects the Crypt::Sodium::XS Perl module in versions prior to 0.000042, which bundles a vulnerable version of libsodium (versions <= 1.0.20 or released before December 30, 2025). This vulnerability stems from CVE-2025-69277 in libsodium, where the crypto_core_ed25519_is_valid_point function mishandles checks for elliptic curve point validity in atypical use cases, such as custom cryptography implementations or processing untrusted data. It incorrectly permits points outside the main cryptographic group, potentially undermining Ed25519-based security primitives. The issue is rated CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-347.

Remote attackers require no privileges or user interaction to exploit this over the network with low complexity. Exploitation targets applications using Crypt::Sodium::XS that invoke the vulnerable libsodium function with untrusted inputs, allowing attackers to supply malformed elliptic curve points. Successful exploitation can compromise confidentiality, integrity, and availability with high impact, such as forging signatures, decrypting data, or causing denial of service in affected cryptographic operations.

Advisories recommend updating to Crypt::Sodium::XS version 0.000042, which integrates libsodium 1.0.20-stable (released January 3, 2026) containing the fix. The libsodium patch is detailed in GitHub commit ad3004ec8731730e93fcfbbc824e67eadc1c1bae, and release notes are available on MetaCPAN. Additional analysis appears in a December 30, 2025, blog post at 00f.net.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium libsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277 https://www.cve.org/CVERecord?id=CVE-2025-69277 . The libsodium vulnerability states: In…

more

atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. 0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote exploitable cryptographic signature validation flaw in a public-facing library enables direct exploitation of applications using the module.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30910Same product: Iamb Crypt\
CVE-2025-27773Shared CWE-347
CVE-2026-34840Shared CWE-347
CVE-2026-23965Shared CWE-347
CVE-2026-5050Shared CWE-347
CVE-2023-25574Shared CWE-347
CVE-2026-28432Shared CWE-347
CVE-2026-38651Shared CWE-347
CVE-2025-24043Shared CWE-347
CVE-2026-20997Shared CWE-347

Affected Assets

iamb
crypt\
\

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires organizations to identify, report, and correct flaws like the vulnerable libsodium in Crypt::Sodium::XS by timely updating to the fixed version 0.000042.

detect

RA-5 mandates vulnerability monitoring and scanning to detect deployments of vulnerable Crypt::Sodium::XS versions or embedded libsodium <=1.0.20.

detect

CM-8 ensures a complete inventory of system components, allowing identification of systems using the affected Perl module for targeted vulnerability assessment and patching.

References