CVE-2025-40932

High

Published: 27 February 2026

Published

27 February 2026

Modified

03 March 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0004 13.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-40932 is a high-severity PRNG (CWE-338) vulnerability in Grichter Apache\. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-12 (Session Termination).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 requires mechanisms to protect communications session authenticity, directly countering predictable session IDs that enable remote hijacking.

IA-5 Authenticator Management partial match

prevent

IA-5 mandates secure management of authenticators, including generation of unpredictable identifiers to mitigate weak session ID entropy from rand(), time, and PID.

AC-12 Session Termination partial match

prevent

AC-12 enforces automatic session termination after inactivity or triggers, limiting the exploitation window for guessed session IDs.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1550.004 Web Session Cookie Lateral Movement

Adversaries can use stolen session cookies to authenticate to web applications and services.

attack.mitre.org →

Why these techniques?

Insecure session ID generation in a Perl web session module enables remote prediction and use of valid session tokens (T1550.004) after exploiting the public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Apache::SessionX versions through 2.01 for Perl create insecure session id. Apache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID…

will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

Deeper analysisAI

CVE-2025-40932 is a vulnerability in Apache::SessionX versions through 2.01 for Perl, where session IDs are generated insecurely. The default generator in Apache::SessionX::Generate::MD5 produces an MD5 hash seeded with the built-in rand() function, the epoch time, and the process ID (PID). These seeds are predictable because PIDs are drawn from a small set of numbers, epoch time can be guessed or obtained from the HTTP Date header, and the rand() function is unsuitable for cryptographic use.

Remote attackers can exploit this over the network with low complexity, no privileges, and no user interaction required. By predicting session IDs, they can hijack active sessions, achieving high confidentiality impact (access to sensitive session data) and low integrity impact, as reflected in the CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). This enables unauthorized system access.

The provided reference points to the source code in Apache-SessionX-2.01 at line 29 of SessionX/Generate/MD5.pm on MetaCPAN, illustrating the flawed generation logic, though no specific advisories or patches are detailed in the available information.