Skip to main content

Net::Dropbear EUVDEUVD-2025-209545

| CVE-2025-15638 CRITICAL
Dependency on Vulnerable Third-Party Component (CWE-1395)
2026-04-21 CPANSec GHSA-fwph-xhj4-v8r5
Critical
Disputed · 10.0 NVD
Share

Severity by source

Sources disagree (Low–Critical)
NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SUSE
3.1 LOW
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 22, 2026 - 17:37 vuln.today
cvss_changed
Patch released
Apr 22, 2026 - 17:35 nvd
Patch available
Analysis Generated
Apr 21, 2026 - 18:47 vuln.today
CVSS changed
Apr 21, 2026 - 17:22 NVD
10.0 (CRITICAL)
Patch available
Apr 21, 2026 - 17:01 EUVD
EUVD ID Assigned
Apr 21, 2026 - 16:00 euvd
EUVD-2025-209545
Analysis Generated
Apr 21, 2026 - 16:00 vuln.today
CVE Published
Apr 21, 2026 - 15:34 nvd
CRITICAL 10.0

DescriptionCVE.org

Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt.

Net::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437.

AnalysisAI

Remote code execution with complete system compromise affects Net::Dropbear Perl module versions before 0.14 due to bundled vulnerable libtomcrypt library. The module ships with Dropbear 2019.78 or earlier containing libtomcrypt v1.18.1, inheriting CVE-2016-6129 (RSA signature forgery) and CVE-2018-12437 (RSA key recovery via side-channel). CVSS 10.0 reflects network-accessible attack with no authentication or user interaction required and complete confidentiality, integrity, and availability impact with scope change. CISA SSVC framework confirms automatable exploitation with total technical impact, though no active exploitation reported. Patch available in Net::Dropbear 0.14 with updated cryptographic dependencies.

Technical ContextAI

Net::Dropbear is a Perl module (CPE: cpe:2.3:a:atrodo:net::dropbear) that bundles the Dropbear SSH implementation including its cryptographic dependencies. The vulnerability stems from CWE-1395 (Dependency on Vulnerable Third-Party Component) - specifically inherited flaws in the bundled libtomcrypt library v1.18.1 or earlier. CVE-2016-6129 involves RSA PKCS#1 v1.5 signature verification flaws enabling signature forgery through Bleichenbacher-style attacks. CVE-2018-12437 involves RSA key recovery vulnerabilities through timing side-channels during cryptographic operations. These affect core SSH authentication and key exchange mechanisms, making any SSH connections established through Net::Dropbear susceptible to authentication bypass and cryptographic attacks. The compound nature - multiple crypto flaws in a bundled dependency - explains the critical CVSS 10.0 rating despite being library-level vulnerabilities.

RemediationAI

Upgrade to Net::Dropbear version 0.14 or later, which includes updated Dropbear and libtomcrypt versions addressing CVE-2016-6129 and CVE-2018-12437. Installation via CPAN: 'cpan Net::Dropbear' or 'cpanm Net::Dropbear' to pull the latest secure version. Review METACPAN release notes at https://metacpan.org/release/ATRODO/Net-Dropbear-0.14/source/dropbear/libtomcrypt/changes for cryptographic library version updates. If immediate upgrade is not feasible, implement network-level compensating controls: restrict SSH access through Net::Dropbear services to trusted IP ranges using firewall rules (reduces network attack vector from AV:N to effectively local), disable RSA authentication in favor of Ed25519 keys if the application supports algorithm selection (mitigates libtomcrypt RSA-specific flaws but may break compatibility with legacy systems), or replace Net::Dropbear with alternative Perl SSH libraries like Net::SSH::Perl or Net::OpenSSH that use different cryptographic backends (requires application code changes and testing). Note that algorithm restrictions may cause authentication failures with older SSH clients expecting RSA support.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise Server 12 SP5 Fixed
SUSE Linux Enterprise Server for SAP Applications 12 SP5 Fixed
SUSE Linux Enterprise Desktop 12 SP4 Fixed
SUSE Linux Enterprise Server 12 SP4 Fixed
SUSE Linux Enterprise Server for SAP Applications 12 SP4 Fixed

Share

EUVD-2025-209545 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy