CVE-2025-15618: Critical Vulnerability in Business::OnlinePayment::StoredTransaction

CVE-2025-15618 is a critical vulnerability affecting Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl. This vulnerability allows attackers to exploit an insecure method of generating a secret key intended for encrypting credit card transaction data. With a CVSS score of 9.1, this vulnerability poses a significant risk to organizations handling sensitive financial data.

The key generation mechanism utilizes a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use. Attackers may leverage this weakness to intercept or manipulate sensitive transaction data, leading to severe financial consequences and loss of consumer trust.

Given the nature of the vulnerability and the potential impact, organizations must prioritize patching immediately. The urgency to address this issue is underscored by the high confidentiality and integrity impact scores associated with the vulnerability.

Currently, there is no known public exploit for this vulnerability, and it is not listed in the Known Exploited Vulnerability (KEV) catalog. However, organizations should remain vigilant and take proactive measures to secure their systems.

In this blog, we will delve deeper into the vulnerability details, technical analysis, risk assessment, and recommended mitigation strategies.

Vulnerability Details

The vulnerability is characterized by the insecure generation of a secret key in the Business::OnlinePayment::StoredTransaction Perl module. The official description states that this module generates a key using a MD5 hash of a single call to the built-in rand function, which is not suitable for cryptographic purposes. This key is intended for encrypting credit card transaction data.

This vulnerability is classified as a critical issue with a CVSS score of 9.1, indicating a high severity level. The affected product is Business::OnlinePayment::StoredTransaction with a version range of 0.01 and below. The vulnerability was published on March 31, 2026.

CWE classifications associated with this vulnerability include CWE-338 (Use of Insufficiently Random Values) and CWE-693 (Protection Mechanism Failure). These weaknesses highlight the fundamental flaws in the key generation method.

Technical Analysis

The root cause of this vulnerability lies in the method used to generate the secret key. The reliance on a single call to the built-in rand function to create a key leads to predictable outputs, making it susceptible to brute-force attacks. Additionally, the use of MD5, a cryptographic hash function with known vulnerabilities, further exacerbates the issue.

The attack vector for this vulnerability is over the network, with a low attack complexity. No privileges are required for an attacker to exploit this vulnerability, and user interaction is not needed. The impact on confidentiality is high, as attackers may gain access to sensitive transaction data. Integrity is also severely impacted, allowing attackers to manipulate transaction information.

Risk & Impact Analysis

The real-world risk associated with this vulnerability is significant, particularly for organizations that process credit card transactions. The potential for data breaches and unauthorized access to sensitive financial information poses a severe threat to customer trust and organizational reputation. The blast radius of this vulnerability extends to any system utilizing the affected version of Business::OnlinePayment::StoredTransaction, potentially impacting multiple users and transactions.

Organizations should assess their exposure to this vulnerability and take immediate action based on its critical severity. The urgency for remediation is classified as critical, considering the high CVSS score and the potential for exploitation.

Exploitation Status

Affected Versions

The affected versions of Business::OnlinePayment::StoredTransaction include all versions through 0.01. Organizations using this software must ensure they have applied the latest patches to mitigate this vulnerability.

Mitigation & Remediation

Organizations must address this vulnerability by updating to the latest version of Business::OnlinePayment::StoredTransaction, which includes a secure method for key generation. If a patch is unavailable, consider implementing additional encryption mechanisms to safeguard transaction data.

For comprehensive security assessments, organizations can consider engaging in penetration testing to identify and remediate potential vulnerabilities.

Detection Guidance

Organizations should monitor logs for any unusual access patterns or attempts to exploit vulnerabilities in the Business::OnlinePayment::StoredTransaction module. Additionally, behavioral anomalies related to credit card transactions should be flagged for further investigation.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2025-15618 lies in its demonstration of the critical importance of secure key generation in payment processing applications. This vulnerability reflects a concerning trend where inadequate security practices can lead to severe financial repercussions. Security teams must ensure that cryptographic keys are generated using secure and unpredictable methods.

Organizations should also revisit their cryptographic practices and conduct regular security audits to identify potential weaknesses. For further guidance on security practices, organizations can refer to the best practices for security testing. Incorporating continuous security assessments can significantly strengthen an organization's defenses against evolving threats.

By understanding the implications of vulnerabilities like CVE-2025-15618, organizations can better prepare themselves against future security challenges. For insights on vulnerability management, refer to our article on vulnerability management programs to enhance overall security posture.