Home / Vulnerability Intelligence / CVE-2025-40931

CVE-2025-40931 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 5, 2026

Apache::Session::Generate::MD5 - Authentication Bypass

Published: March 5, 2026Updated: March 5, 2026Remote Exploitable

Overview

Apache::Session::Generate::MD5 <= 1.94 for Perl contains a broken authentication caused by insecure session id generation using predictable MD5 seeds, letting attackers predict session ids and gain unauthorized access, exploit requires no special conditions.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 3.2%(Probability of exploitation in next 30 days)

Impact

Attackers can predict session IDs, potentially allowing unauthorized access to user sessions and sensitive data.

Mitigation

Update to the latest version with secure session id generation.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 5, 2026

🔴 CVE-2025-40931 - Critical (9.1) Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() functio... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-40931/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2025-40931
Severity: Critical
CVSS Score: 9.1
Type: broken_authentication
Status: unconfirmed
EPSS: 3.2%
Social Posts: 1

CWE

CWE-338

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

3.2%Probability of exploitation in the next 30 days