CVE-2025-15618

Critical

Published: 31 March 2026

Published

31 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0005 16.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15618 is a critical-severity PRNG (CWE-338) vulnerability in Mock Business\. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-13 (Cryptographic Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Credentials In Files (T1552.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-12 Cryptographic Key Establishment and Management good match

prevent

Requires proper cryptographic key establishment and management with sufficient entropy sources, directly preventing the use of weak PRNG like Perl's rand() for secret key generation.

SC-13 Cryptographic Protection good match

prevent

Mandates implementation of cryptographic protections using approved mechanisms for confidentiality and integrity of sensitive data like credit card transactions, countering the flawed encryption.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and remediation of flaws such as the weak key generation vulnerability, including application of the available security patch.

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Weak key generation enables decryption of stored sensitive transaction data (treated as unsecured credentials in files).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key. Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use. This key is intended…

for encrypting credit card transaction data.

Deeper analysisAI

CVE-2025-15618 affects Business::OnlinePayment::StoredTransaction, a Perl module in versions through 0.01, due to the use of an insecure secret key for encrypting credit card transaction data. The module generates this key by computing an MD5 hash of a single call to Perl's built-in rand() function, which produces insufficient entropy and is unsuitable for cryptographic purposes. This flaw is classified under CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator) and CWE-693 (Protection Mechanism Failure), with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By predicting or brute-forcing the weak secret key due to its low entropy, the attacker can decrypt sensitive credit card transaction data or tamper with its integrity, potentially leading to unauthorized access or modification of payment information.

Mitigation is available via a security patch published on metacpan.org for version 0.01 (CVE-2025-15618-r1.patch), which addresses the key generation issue. The vulnerability was disclosed on the oss-security mailing list, recommending affected users apply the patch or avoid using the module for cryptographic operations involving sensitive data. Source code for the flawed implementation is viewable in the module's lib/Business/OnlinePayment/StoredTransaction.pm at lines 64-75.