Severity by source
Sources disagree (Low–Critical)AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionCVE.org
Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt.
Net::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437.
AnalysisAI
Remote code execution with complete system compromise affects Net::Dropbear Perl module versions before 0.14 due to bundled vulnerable libtomcrypt library. The module ships with Dropbear 2019.78 or earlier containing libtomcrypt v1.18.1, inheriting CVE-2016-6129 (RSA signature forgery) and CVE-2018-12437 (RSA key recovery via side-channel). CVSS 10.0 reflects network-accessible attack with no authentication or user interaction required and complete confidentiality, integrity, and availability impact with scope change. CISA SSVC framework confirms automatable exploitation with total technical impact, though no active exploitation reported. Patch available in Net::Dropbear 0.14 with updated cryptographic dependencies.
Technical ContextAI
Net::Dropbear is a Perl module (CPE: cpe:2.3:a:atrodo:net::dropbear) that bundles the Dropbear SSH implementation including its cryptographic dependencies. The vulnerability stems from CWE-1395 (Dependency on Vulnerable Third-Party Component) - specifically inherited flaws in the bundled libtomcrypt library v1.18.1 or earlier. CVE-2016-6129 involves RSA PKCS#1 v1.5 signature verification flaws enabling signature forgery through Bleichenbacher-style attacks. CVE-2018-12437 involves RSA key recovery vulnerabilities through timing side-channels during cryptographic operations. These affect core SSH authentication and key exchange mechanisms, making any SSH connections established through Net::Dropbear susceptible to authentication bypass and cryptographic attacks. The compound nature - multiple crypto flaws in a bundled dependency - explains the critical CVSS 10.0 rating despite being library-level vulnerabilities.
RemediationAI
Upgrade to Net::Dropbear version 0.14 or later, which includes updated Dropbear and libtomcrypt versions addressing CVE-2016-6129 and CVE-2018-12437. Installation via CPAN: 'cpan Net::Dropbear' or 'cpanm Net::Dropbear' to pull the latest secure version. Review METACPAN release notes at https://metacpan.org/release/ATRODO/Net-Dropbear-0.14/source/dropbear/libtomcrypt/changes for cryptographic library version updates. If immediate upgrade is not feasible, implement network-level compensating controls: restrict SSH access through Net::Dropbear services to trusted IP ranges using firewall rules (reduces network attack vector from AV:N to effectively local), disable RSA authentication in favor of Ed25519 keys if the application supports algorithm selection (mitigates libtomcrypt RSA-specific flaws but may break compatibility with legacy systems), or replace Net::Dropbear with alternative Perl SSH libraries like Net::SSH::Perl or Net::OpenSSH that use different cryptographic backends (requires application code changes and testing). Note that algorithm restrictions may cause authentication failures with older SSH clients expecting RSA support.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Low| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209545
GHSA-fwph-xhj4-v8r5