CVE-2025-62710 identifies a cryptographic weakness in the Sakai Collaboration and Learning Environment prior to versions 23.5 and 25.0. The vulnerability stems from the use of java.util.Random, a predictable and non-cryptographically secure PRNG, to generate the AES256TextEncryptor password (serverSecretKey) within the EncryptionUtilityServiceImpl component. Since java.util.Random seeds can be approximated from limited state information such as the system start time, an attacker who gains access to ciphertexts protected by this key can feasibly reconstruct the serverSecretKey by narrowing the key search space. This reconstruction enables decryption of sensitive data at rest or in exported form, compromising confidentiality. The vulnerability is classified under CWE-337 (Predictable Seed in PRNG). The flaw was addressed in Sakai versions 23.5 and 25.0 by replacing the insecure PRNG with a cryptographically secure alternative. The CVSS v3.1 base score is 2.6, reflecting a low severity due to the need for low privileges, user interaction, and high attack complexity, with no impact on integrity or availability. No known exploits are currently reported in the wild. The vulnerability highlights the critical importance of using cryptographically secure PRNGs for key generation in software handling sensitive data.

For European organizations using affected versions of Sakai, this vulnerability poses a risk to the confidentiality of encrypted data managed by the platform. Educational institutions, research organizations, and collaborative projects relying on Sakai for secure communication and data storage could have sensitive information exposed if an attacker can obtain ciphertexts and approximate the PRNG seed. Although the vulnerability does not affect data integrity or system availability, the potential decryption of protected data could lead to unauthorized disclosure of personal information, intellectual property, or confidential communications. The low CVSS score reflects the complexity and prerequisites for exploitation, but organizations with high-value data or regulatory compliance requirements (e.g., GDPR) should consider the risk significant. The impact is heightened in environments where exported or at-rest encrypted data is accessible to adversaries or insiders. Failure to remediate could undermine trust in Sakai deployments and lead to reputational damage or regulatory penalties.

European organizations should immediately upgrade Sakai installations to versions 23.5 or 25.0, where the vulnerability is patched by replacing the insecure PRNG with a cryptographically secure alternative. Until upgrades are applied, organizations should restrict access to encrypted data exports and at-rest ciphertexts to minimize exposure. Review and audit logs for unusual access patterns to encrypted data. Implement network segmentation and strict access controls around Sakai servers to reduce the attack surface. Educate administrators and developers on the importance of using secure PRNGs (e.g., java.security.SecureRandom) for cryptographic key generation. Conduct a thorough inventory of all Sakai instances and verify their versions. If possible, re-encrypt sensitive data with keys generated from secure PRNGs after patching. Monitor vendor advisories and community forums for any emerging exploit reports or additional mitigations. Finally, integrate this vulnerability into organizational risk assessments and incident response plans to ensure preparedness.