PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46474 TEODESIAN CVE debrief

Trog::TOTP versions prior to 1.006 use Perl's built-in `rand` function for generating TOTP secrets, which is cryptographically predictable and unsuitable for security-sensitive operations. The vulnerability was disclosed on 2026-05-15 and last modified on 2026-05-18. The issue is classified as CWE-331 (Insufficient Entropy) with a CVSS 3.1 score of 7.5 (HIGH severity), indicating network-accessible attack vectors with low complexity and no required privileges or user interaction. The confidentiality impact is rated HIGH, while integrity and availability impacts are none. The vendor is identified as TEODESIAN based on CPAN release metadata, though confidence is low and requires review. No known exploitation in the wild or ransomware campaign use has been documented.

Vendor
TEODESIAN
Product
Trog::TOTP
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-15
Original CVE updated
2026-05-18
Advisory published
2026-05-15
Advisory updated
2026-05-18

Who should care

Organizations using Perl-based TOTP authentication with Trog::TOTP; developers maintaining legacy TOTP implementations; security teams responsible for multi-factor authentication infrastructure; compliance auditors reviewing cryptographic implementations for regulatory standards (PCI-DSS, NIST SP 800-63B)

Technical summary

Trog::TOTP is a Perl module implementing Time-based One-Time Password (TOTP) authentication. Versions before 1.006 generate TOTP secrets using Perl's built-in `rand` function, which is not cryptographically secure. An attacker with knowledge of the PRNG state or able to observe sufficient outputs could predict future secrets, compromising TOTP-based authentication. The fix in version 1.006 replaces `rand` with a cryptographically secure random number generator. The vulnerability has network attack vector, low complexity, and requires no privileges or user interaction, with high impact to confidentiality of authentication credentials.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Trog::TOTP to version 1.006 or later, which replaces the insecure `rand` function with a cryptographically secure random number generator
  • Audit existing TOTP secrets generated by affected versions and regenerate them using the patched version
  • Review applications using Trog::TOTP for evidence of secret compromise or unauthorized access
  • Monitor authentication logs for anomalous TOTP validation attempts that may indicate prediction attacks
  • Consider implementing additional authentication factors or session monitoring as compensating controls until upgrades are complete

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The root cause—use of Perl's `rand` for secret generation—is confirmed by the version 1.006 changelog and code diff showing replacement with a cryptographically secure alternative. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) supports network-based exploitation with high confidentiality impact. Vendor attribution derives from CPAN release metadata (TEODESIAN/Trog-TOTP), flagged for low confidence and review.

Official resources

2026-05-15