CVE-2025-15618 identifies a cryptographic weakness in the Perl module Business::OnlinePayment::StoredTransaction (versions up to 0.01). The vulnerability arises from the use of an insecure method to generate secret keys for encrypting credit card transaction data. Specifically, the module creates the secret key by taking an MD5 hash of a single call to Perl's built-in rand() function. The rand() function is not designed to be cryptographically secure and can produce predictable outputs, especially if the seed is known or can be inferred. MD5, while a cryptographic hash function, is considered broken for collision resistance and is unsuitable for key derivation in modern cryptographic contexts. Combining a weak random source with MD5 hashing results in keys that can be feasibly predicted or brute-forced by attackers. This compromises the confidentiality of encrypted payment data, potentially allowing attackers to decrypt stored credit card information. The vulnerability is classified under CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator) and CWE-693 (Protection Mechanism Failure). No patches or fixes are currently linked, and no known exploits have been reported in the wild. However, the risk remains significant due to the sensitive nature of the data protected by the flawed key generation process.

The primary impact of this vulnerability is the potential exposure of sensitive credit card transaction data encrypted using weakly generated secret keys. Attackers who can predict or reproduce the secret key can decrypt stored payment information, leading to data breaches involving financial data, identity theft, and fraud. Organizations relying on this Perl module for online payment processing risk losing customer trust, facing regulatory penalties for inadequate data protection, and incurring financial losses from fraud and remediation costs. The vulnerability undermines the confidentiality and integrity of payment data but does not directly affect system availability. Since the weakness is in the cryptographic key generation, exploitation does not require user interaction or authentication, increasing the risk of automated attacks. The scope is limited to systems using the affected module version, but given the widespread use of Perl in legacy and some modern payment systems, the affected population could be significant. The absence of known exploits suggests that attackers may need some effort to develop reliable attacks, but the fundamental cryptographic flaw is severe.

To mitigate this vulnerability, organizations should immediately cease using Business::OnlinePayment::StoredTransaction versions up to 0.01 for encrypting sensitive data. Developers should update the module to use a cryptographically secure pseudo-random number generator (CSPRNG), such as those provided by Perl's Crypt::PRNG or the operating system's secure random sources (e.g., /dev/urandom or Crypt::Random). The key derivation process should employ modern, secure algorithms like HKDF or PBKDF2 with appropriate salts and iteration counts instead of MD5 hashing. If no official patch is available, users should consider applying custom patches or switching to alternative, actively maintained payment processing libraries that follow current cryptographic best practices. Additionally, organizations should audit stored encrypted data and consider re-encrypting with securely generated keys. Implementing comprehensive logging and monitoring for unusual access patterns to payment data can help detect exploitation attempts. Finally, educating developers on secure cryptographic practices and regularly reviewing third-party dependencies for vulnerabilities is essential to prevent similar issues.