CVE-2025-15604

Critical

Published: 28 March 2026

Published

28 March 2026

Modified

01 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15604 is a critical-severity PRNG (CWE-338) vulnerability in Tokuhirom Amon2. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely identification, reporting, and correction of the insecure random_string flaw by patching to Amon2 6.17, preventing predictable token generation.

SC-12 Cryptographic Key Establishment and Management partial match

prevent

Ensures cryptographic keys and secrets for cookie signing/encryption generated by random_string use adequate entropy sources, mitigating weak PRNG fallback predictability.

IA-5 Authenticator Management partial match

prevent

Requires secure management and generation of authenticators such as session IDs and CSRF tokens with sufficient randomness strength to resist prediction attacks.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1550.004 Web Session Cookie Lateral Movement

Adversaries can use stolen session cookies to authenticate to web applications and services.

attack.mitre.org →

Why these techniques?

Weak PRNG enables remote prediction of session IDs/CSRF tokens/cookie secrets in public-facing Amon2 apps (T1190), allowing forged web session cookies for impersonation and auth bypass (T1550.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions. In versions 6.06 through 6.16, the random_string function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes…

by concatenating a SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Before version 6.06, there was no fallback when /dev/urandom was not available. Before version 6.04, the random_string function used the built-in rand() function to generate a mixed-case alphanumeric string. This function may be used for generating session ids, generating secrets for signing or encrypting cookie session data and generating tokens used for Cross Site Request Forgery (CSRF) protection.

Deeper analysisAI

CVE-2025-15604 is a critical vulnerability in the Amon2 Perl web framework, affecting versions before 6.17. The issue stems from an insecure implementation of the random_string function, which is used for generating security-sensitive values such as session IDs, secrets for signing or encrypting cookie session data, and Cross-Site Request Forgery (CSRF) protection tokens. In versions 6.06 through 6.16, if /dev/urandom is unavailable, the function falls back to generating bytes via a SHA-1 hash seeded with Perl's built-in rand() function, the process ID (PID), and high-resolution epoch time; these seeds are predictable due to the limited PID range, guessable timestamps (potentially leaked via HTTP Date headers), and rand()'s unsuitability for cryptography. Earlier versions had even weaker mechanisms: no fallback before 6.06 and direct use of rand() for alphanumeric strings before 6.04. The vulnerability is rated CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 338 (Use of Cryptographically Weak Pseudo-Random Number Generator) and 340 (Generation of Predictable Numbers or Identifiers).

Remote attackers require no privileges or user interaction to exploit this, as it enables prediction of security tokens over the network with low complexity. By guessing session IDs, cookie signing secrets, or CSRF tokens—leveraging observable patterns like PIDs and timestamps—an attacker can impersonate users, hijack sessions, decrypt or forge cookie data, bypass CSRF protections, and potentially achieve full compromise of affected applications (high confidentiality, integrity, and availability impact).

Advisories recommend upgrading to Amon2 version 6.17, which addresses the issue via changes to the random_string function in lib/Amon2/Util.pm, as detailed in the release changes, a specific code diff, and GitHub pull request #135. A MetaCPAN security guide emphasizes using proper random data sources for security contexts, and the OSS-security mailing list announcement highlights the fallback mechanism's flaws. Ensure /dev/urandom availability in deployment environments to avoid reliance on insecure fallbacks even in patched versions.