Cybersecurity Vulnerabilities

Urgent: Critical Vulnerability in RNP 0.18.0 Exposes Public-Key Encryption (CVE-2025-13470)

November 21, 2025 - By 

Overview

A critical vulnerability, identified as CVE-2025-13470, has been discovered in RNP version 0.18.0. This flaw affects public-key encryption (PKESK packets) due to a regression that results in an all-zero session key being used. This means any data encrypted using public-key encryption in this version can be trivially decrypted, leading to a complete breach of confidentiality.

Technical Details

The vulnerability stems from a refactoring regression in RNP version 0.18.0. During the creation of Public-Key Encrypted Session Key (PKESK) packets, the symmetric session key is left uninitialized, effectively creating an all-zero byte array. This all-zero key is then used to encrypt the data, rendering the encryption useless. Importantly, passphrase-based encryption (SKESK packets) is not affected.

The root cause lies in the encrypted_build_skesk() function. Initialization logic was implemented to randomize the session key for the SKESK path, but this randomization step was inadvertently omitted for the PKESK path.

This defect was introduced in commit 7bd9a8dc356aae756b40755be76d36205b6b161a.

CVSS Analysis

  • Severity: HIGH
  • CVSS Score: 7.5

A CVSS score of 7.5 indicates a high severity vulnerability. The ease of exploitation (trivial decryption with an all-zero key) combined with the potential for complete data compromise justifies this rating.

Possible Impact

The impact of this vulnerability is severe. Any data encrypted using public-key encryption with RNP 0.18.0 is vulnerable to trivial decryption. This could expose sensitive information, including:

  • Personal data
  • Financial information
  • Confidential business documents
  • Cryptographic keys

Essentially, any application or system relying on RNP 0.18.0 for secure communication or data storage is at significant risk.

Mitigation and Patch Steps

The recommended mitigation is to immediately upgrade to RNP version 0.18.1 or later. Version 0.18.1 contains the fix for this vulnerability.

You can download the patched version from GitHub Releases.

If upgrading is not immediately possible, consider disabling or avoiding the use of public-key encryption (PKESK packets) until the upgrade can be performed. However, this may significantly limit functionality.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *