CVE-2025-15578

Critical

Published: 16 February 2026

Published

16 February 2026

Modified

10 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 18.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15578 is a critical-severity PRNG (CWE-338) vulnerability in Teejay Maypole. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring identification, reporting, and timely correction of the insecure session ID generation flaw in Maypole.

IA-5 Authenticator Management good match

prevent

Requires secure management of authenticators, including generation with sufficient entropy to prevent predictable session IDs based on weak seeds like time, rand(), and PID.

SC-23 Session Authenticity good match

prevent

Protects the authenticity of sessions against hijacking attacks enabled by the CVE's predictable session ID generation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1550.004 Web Session Cookie Lateral Movement

Adversaries can use stolen session cookies to authenticate to web applications and services.

attack.mitre.org →

Why these techniques?

Directly enables remote exploitation of a public-facing Perl web framework (T1190) via predictable session IDs, allowing use of guessed web session tokens for hijacking (T1550.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the system time (which is available from HTTP response headers), a call to the built-in rand() function, and the PID.

Deeper analysisAI

CVE-2025-15578 is a vulnerability in Maypole versions 2.10 through 2.13 for Perl, where session IDs are generated insecurely. The session ID seeding relies on the system time, which is exposed via HTTP response headers, a call to Perl's built-in rand() function, and the process ID (PID). This results in predictable session IDs, mapped to CWE-338 (Use of Cryptographically Weak Random Number Generator), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue was published on 2026-02-16.

The vulnerability enables remote attackers to exploit it over the network with low attack complexity, requiring no privileges, no user interaction, and no change in scope. Attackers can predict session IDs due to the guessable seeds, allowing potential session hijacking, fixation, or other manipulations that compromise user sessions and lead to high impacts on confidentiality, integrity, and availability.

The provided reference points to the vulnerable source code in Maypole's Session.pm at line 43: https://metacpan.org/dist/Maypole/source/lib/Maypole/Session.pm#L43. No additional advisories or patch details are available in the given information.