Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-w49t-kp2a-efh3
Vulnerability ID VCID-w49t-kp2a-efh3
Aliases CVE-2017-13099
Summary wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable wolfSSL application. This vulnerability is referred to as "ROBOT."
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.78457 https://api.first.org/data/v1/epss?cve=CVE-2017-13099
epss 0.78457 https://api.first.org/data/v1/epss?cve=CVE-2017-13099
epss 0.78457 https://api.first.org/data/v1/epss?cve=CVE-2017-13099
epss 0.78457 https://api.first.org/data/v1/epss?cve=CVE-2017-13099
epss 0.78457 https://api.first.org/data/v1/epss?cve=CVE-2017-13099
epss 0.78457 https://api.first.org/data/v1/epss?cve=CVE-2017-13099
epss 0.78457 https://api.first.org/data/v1/epss?cve=CVE-2017-13099
epss 0.78709 https://api.first.org/data/v1/epss?cve=CVE-2017-13099
epss 0.78709 https://api.first.org/data/v1/epss?cve=CVE-2017-13099
epss 0.78709 https://api.first.org/data/v1/epss?cve=CVE-2017-13099
epss 0.78709 https://api.first.org/data/v1/epss?cve=CVE-2017-13099
epss 0.78709 https://api.first.org/data/v1/epss?cve=CVE-2017-13099
epss 0.78709 https://api.first.org/data/v1/epss?cve=CVE-2017-13099
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2017-13099
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13099
884235 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884235
Data source Metasploit
Description Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack. This module requires Python 3 with the gmpy2 and cryptography packages to be present.
Note 
AKA:
  - ROBOT
  - Adaptive chosen-ciphertext attack
Ransomware campaign use Unknown
Source publication date June 17, 2009
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py
There are no known vectors.
Exploit Prediction Scoring System (EPSS)
Percentile 0.99024
EPSS Score 0.78457
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T16:32:27.056803+00:00 Debian Oval Importer Import https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.0.0