VYPR

CWE-331

Insufficient Entropy

BaseDraft

Description

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-59

CVEs mapped to this weakness (72)

page 1 of 4
  • CVE-2020-36925CriJan 6, 2026
    risk 0.64cvss 9.8epss 0.01

    Arteco Web Client DVR/NVR contains a session hijacking vulnerability with insufficient session ID complexity that allows remote attackers to bypass authentication. Attackers can brute force session IDs within a specific numeric range to obtain valid sessions and access live…

  • CVE-2008-2108CriMay 7, 2008
    risk 0.64cvss 9.8epss 0.04

    The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force…

  • CVE-2026-42155CriMay 15, 2026
    risk 0.60cvss epss 0.00

    Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, the XML-RPC / SOAP API session ID is generated using an…

  • CVE-2024-3411CriApr 30, 2024
    risk 0.59cvss 9.1epss 0.01

    Implementations of IPMI Authenticated sessions does not provide enough randomness to protect from session hijacking, allowing an attacker to use either predictable IPMI Session ID or weak BMC Random Number to bypass security controls using spoofed IPMI packets to manage BMC…

  • CVE-2025-50122HigJul 11, 2025
    risk 0.58cvss epss 0.00

    A CWE-331: Insufficient Entropy vulnerability exists that could cause root password discovery when the password generation algorithm is reverse engineered with access to installation or upgrade artifacts.

  • CVE-2026-4827HigMay 12, 2026
    risk 0.57cvss epss 0.00

    CWE‑331: Insufficient Entropy vulnerability exists that could lead to unauthorized access when an attacker on the network can exploit weaknesses in session‑management protections.

  • CVE-2026-2336HigApr 16, 2026
    risk 0.57cvss epss 0.00

    A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstax_auth session cookie and forge a new cookie with administrative privileges.This issue affects IStaX before…

  • CVE-2025-15387HigDec 31, 2025
    risk 0.57cvss 8.8epss 0.00

    VPN Firewall developed by QNO Technology has a Insufficient Entropy vulnerability, allowing unauthenticated remote attackers to obtain any logged-in user session through brute-force attacks and subsequently log into the system.

  • CVE-2018-1000620CriJul 9, 2018
    risk 0.57cvss 9.8epss 0.02

    Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via…

  • CVE-2008-1447MedJul 8, 2008
    risk 0.55cvss 6.8epss 0.95

    The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses…

  • CVE-2014-8422HigApr 12, 2018
    risk 0.53cvss 8.1epss 0.02

    The web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 generates session cookies with insufficient entropy, which makes it easier for remote attackers to hijack sessions via a brute-force attack.

  • CVE-2017-13992HigOct 5, 2017
    risk 0.53cvss 8.1epss 0.04

    An Insufficient Entropy issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The application does not utilize sufficiently random number generation for the web interface authentication mechanism, which could allow remote code execution.

  • CVE-2024-6508HigAug 21, 2024
    risk 0.52cvss 8.0epss 0.01

    An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows…

  • CVE-2025-1860HigMar 28, 2025
    risk 0.50cvss 7.7epss 0.00

    Data::Entropy for Perl 0.007 and earlier use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.

  • CVE-2026-46474HigMay 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Trog::TOTP versions before 1.006 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.

  • CVE-2024-53522HigJan 7, 2025
    risk 0.49cvss 7.5epss 0.01

    Bangkok Medical Software HOSxP XE v4.64.11.3 was discovered to contain a hardcoded IDEA Key-IV pair in the HOSxPXE4.exe and HOS-WIN32.INI components. This allows attackers to access sensitive information.

  • CVE-2015-3405HigAug 9, 2017
    risk 0.49cvss 7.5epss 0.05

    ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the…

  • CVE-2017-0897HigJun 22, 2017
    risk 0.49cvss 7.5epss 0.04

    ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution.

  • CVE-2001-0950HigDec 4, 2001
    risk 0.49cvss 7.5epss 0.02

    ValiCert Enterprise Validation Authority (EVA) Administration Server 3.3 through 4.2.1 uses insufficiently random data to (1) generate session tokens for HSMs using the C rand function, or (2) generate certificates or keys using /dev/urandom instead of another source which…

  • CVE-2018-10240HigMay 16, 2018
    risk 0.48cvss 7.3epss 0.01

    SolarWinds Serv-U MFT before 15.1.6 HFv1 assigns authenticated users a low-entropy session token that can be included in requests to the application as a URL parameter in lieu of a session cookie. This session token's value can be brute-forced by an attacker to obtain the…