Cyber Resilience

CVE-2025-15618

Critical

Published: 31 March 2026

Published
31 March 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0033 24.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-15618 is a critical-severity PRNG (CWE-338) vulnerability in Mock Business\. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 24.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-13 (Cryptographic Protection).

Deeper analysis

CVE-2025-15618 affects Business::OnlinePayment::StoredTransaction, a Perl module in versions through 0.01, due to the use of an insecure secret key for encrypting credit card transaction data. The module generates this key by computing an MD5 hash of a single call to Perl's built-in rand() function, which produces insufficient entropy and is unsuitable for cryptographic purposes. This flaw is classified under CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator) and CWE-693 (Protection Mechanism Failure), with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By predicting or brute-forcing the weak secret key due to its low entropy, the attacker can decrypt sensitive credit card transaction data or tamper with its integrity, potentially leading to unauthorized access or modification of payment information.

Mitigation is available via a security patch published on metacpan.org for version 0.01 (CVE-2025-15618-r1.patch), which addresses the key generation issue. The vulnerability was disclosed on the oss-security mailing list, recommending affected users apply the patch or avoid using the module for cryptographic operations involving sensitive data. Source code for the flawed implementation is viewable in the module's lib/Business/OnlinePayment/StoredTransaction.pm at lines 64-75.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key. Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use. This key is intended…

more

for encrypting credit card transaction data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Weak key generation enables decryption of stored sensitive transaction data (treated as unsecured credentials in files).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2803Shared CWE-693
CVE-2026-44000Shared CWE-693
CVE-2026-6659Shared CWE-338
CVE-2026-29649Shared CWE-693
CVE-2025-0411Shared CWE-693
CVE-2026-45227Shared CWE-693
CVE-2025-48605Shared CWE-693
CVE-2026-32225Shared CWE-693
CVE-2026-41316Shared CWE-693
CVE-2026-25726Shared CWE-338

Affected Assets

mock
business\
\

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires proper cryptographic key establishment and management with sufficient entropy sources, directly preventing the use of weak PRNG like Perl's rand() for secret key generation.

prevent

Mandates implementation of cryptographic protections using approved mechanisms for confidentiality and integrity of sensitive data like credit card transactions, countering the flawed encryption.

prevent

Requires timely identification, reporting, and remediation of flaws such as the weak key generation vulnerability, including application of the available security patch.

References