The Trog::TOTP module, before version 1.006, creates TOTP shared secrets with Perl's built‑in rand function, which is not cryptographically secure and can be predicted by an attacker. This flaw means an adversary could potentially derive the secret used for time‑based one‑time passwords, allowing them to generate valid OTPs or impersonate a legitimate user. The weakness falls under CWE‑331 (Predictable Random Number Generation).

All installations of the TEODESIAN Trog::TOTP Perl package with a version earlier than 1.006 are affected. Systems that employ this module for generating or storing OTP secrets, such as authentication services or multi‑factor configurations, are at risk if the old version is still in use.

The CVSS score is not provided, and the EPSS score is unavailable, indicating that no public exploitation data exists yet. However, because the secret generation itself is insecure, the potential for compromise remains high. The vulnerability is not listed in the CISA KEV catalog. An attacker who can observe a generated secret or has access to the randomisation process could predict future values, so the flaw is considered significant and warrants immediate rectification.