#VU121011 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in coTURN - CVE-2025-69217
Published: January 7, 2026
Vulnerability identifier: #VU121011
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-69217
CWE-ID: CWE-338
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
coTURN
coTURN
Software vendor:
coTURN
coTURN
Description
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to usage of bad random number generator for nonces and port randomization after refactoring. A remote attacker can send 50 unauthenticated allocations requests and completely reconstruct the current state of the random number generator, leading to spoofing. authentication bypass and denial of service.
Remediation
Install updates from vendor's website.