CVE-2025-62710 concerns a cryptographic weakness in the Sakai collaboration and learning environment's EncryptionUtilityServiceImpl component prior to versions 23.5 and 25.0. The vulnerability stems from the initialization of the AES256TextEncryptor password (serverSecretKey) using RandomStringUtils backed by java.util.Random, which is a non-cryptographically secure PRNG. java.util.Random's output can be predicted if an attacker can approximate the seed, typically derived from system time or other limited entropy sources. This predictability drastically reduces the effective key search space, enabling an attacker who has access to ciphertexts—such as exported or at-rest encrypted strings protected by this service—to reconstruct the serverSecretKey. With the recovered key, the attacker can decrypt sensitive data, compromising confidentiality. The vulnerability does not affect data integrity or availability. Exploitation does not require authentication or user interaction but has a high attack complexity due to the need to approximate the PRNG seed accurately. The issue is tracked as CWE-337 (Predictable Seed in PRNG). Sakai addressed this vulnerability in versions 23.5, 25.0, and the development trunk by replacing the weak PRNG with a cryptographically secure alternative. No known exploits are currently reported in the wild.

For European organizations using Sakai versions prior to 23.5 or 25.0, this vulnerability poses a significant risk to the confidentiality of sensitive educational and collaboration data. Since Sakai is widely used in academic institutions and research organizations across Europe, unauthorized decryption of protected data could lead to exposure of personal information, intellectual property, and confidential communications. Although the vulnerability does not impact data integrity or availability, the breach of confidentiality could result in regulatory non-compliance under GDPR, reputational damage, and potential legal consequences. The attack requires no privileges or user interaction, increasing the risk if ciphertexts are accessible through backups, exports, or compromised storage. The high attack complexity somewhat limits exploitation but does not eliminate the threat, especially for motivated attackers with sufficient resources. Organizations relying on Sakai for critical collaboration should consider this vulnerability a priority for remediation to maintain data protection standards.

European organizations should immediately upgrade Sakai to versions 23.5, 25.0, or later where the vulnerability is patched. If upgrading is not immediately feasible, organizations should restrict access to encrypted data exports and backups to minimize ciphertext exposure. Implement network segmentation and strict access controls around Sakai servers and storage to reduce the risk of unauthorized data access. Conduct audits to identify any exported or at-rest encrypted data protected by the vulnerable EncryptionUtilityServiceImpl and consider re-encrypting this data after patching. Additionally, monitor for unusual access patterns or attempts to obtain ciphertexts. Educate administrators about the risks of using non-cryptographically secure PRNGs for key generation and encourage the adoption of secure cryptographic libraries and best practices. Finally, integrate this vulnerability into incident response plans to ensure rapid action if exploitation is suspected.