CVE-2025-15638

Critical

Published: 21 April 2026

Published

21 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0002 5.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15638 is a critical-severity an unspecified weakness vulnerability in Atrodo Net\. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-8 (System Component Inventory).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of the vulnerability in Net::Dropbear versions before 0.14 by updating to version 0.14 or later, which addresses the bundled vulnerable libtomcrypt.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Supports identification of CVE-2025-15638 in Net::Dropbear and its bundled Dropbear/libtomcrypt components through regular vulnerability scanning.

CM-8 System Component Inventory partial match

detect

Provides an inventory of system components including Net::Dropbear and dependencies to assess exposure to the vulnerable libtomcrypt versions.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Remote unauthenticated RCE in public-facing SSH (Dropbear) service directly enables exploitation of exposed applications and remote services.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt. Net::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437.

Deeper analysisAI

CVE-2025-15638 is a vulnerability in Net::Dropbear versions before 0.14 for Perl, which bundles vulnerable versions of Dropbear 2019.78 or earlier. These in turn include libtomcrypt v1.18.1 or earlier, affected by CVE-2016-6129 and CVE-2018-12437.

The vulnerability has a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating it can be exploited remotely by unauthenticated attackers over the network with low attack complexity and no user interaction. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability with a change in scope.

Advisories recommend updating to Net::Dropbear version 0.14 or later, which addresses the bundled vulnerable libtomcrypt versions, as detailed in the release changes on MetaCPAN. Additional details on the underlying issues are available in the CVE-2016-6129 and CVE-2018-12437 records.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

atrodo

net\

References

https://metacpan.org/release/ATRODO/Net-Dropbear-0.14/source/dropbear/libtomcrypt/changes
Release Notes · 9b29abf9-4ab0-4765-b253-1875cd9b441e
https://www.cve.org/CVERecord?id=CVE-2016-6129
Third Party Advisory · 9b29abf9-4ab0-4765-b253-1875cd9b441e
https://www.cve.org/CVERecord?id=CVE-2018-12437
Third Party Advisory · 9b29abf9-4ab0-4765-b253-1875cd9b441e