diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
index fe043dadab5..43d148a3428 100644
--- a/src/java.base/share/classes/module-info.java
+++ b/src/java.base/share/classes/module-info.java
@@ -318,6 +318,7 @@ module java.base {
     exports sun.security.internal.spec to
         jdk.crypto.cryptoki;
     exports sun.security.jca to
+        java.security.sasl,
         java.smartcardio,
         jdk.crypto.cryptoki,
         jdk.naming.dns;
diff --git a/src/java.security.sasl/share/classes/com/sun/security/sasl/CramMD5Server.java b/src/java.security.sasl/share/classes/com/sun/security/sasl/CramMD5Server.java
index 42a0409920c..b3dda2c869c 100644
--- a/src/java.security.sasl/share/classes/com/sun/security/sasl/CramMD5Server.java
+++ b/src/java.security.sasl/share/classes/com/sun/security/sasl/CramMD5Server.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,11 +25,13 @@
 
 package com.sun.security.sasl;
 
+import sun.security.jca.JCAUtil;
+
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.logging.Level;
 import java.util.Map;
-import java.util.Random;
 import javax.security.sasl.*;
 import javax.security.auth.callback.*;
 
@@ -52,6 +54,10 @@ import static java.nio.charset.StandardCharsets.UTF_8;
  * @author Rosanna Lee
  */
 final class CramMD5Server extends CramMD5Base implements SaslServer {
+
+    /* SecureRandom instance to generate random digits used in challenge */
+    private static final SecureRandom SECURE_RANDOM = JCAUtil.getDefSecureRandom();
+
     private String fqdn;
     private byte[] challengeData = null;
     private String authzid;
@@ -113,8 +119,7 @@ final class CramMD5Server extends CramMD5Base implements SaslServer {
                 }
 
                 // Generate challenge {random, timestamp, fqdn}
-                Random random = new Random();
-                long rand = random.nextLong();
+                long rand = SECURE_RANDOM.nextLong();
                 long timestamp = System.currentTimeMillis();
 
                 StringBuilder sb = new StringBuilder();
diff --git a/src/java.security.sasl/share/classes/com/sun/security/sasl/digest/DigestMD5Base.java b/src/java.security.sasl/share/classes/com/sun/security/sasl/digest/DigestMD5Base.java
index 535c11b4f0c..567c7171116 100644
--- a/src/java.security.sasl/share/classes/com/sun/security/sasl/digest/DigestMD5Base.java
+++ b/src/java.security.sasl/share/classes/com/sun/security/sasl/digest/DigestMD5Base.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -33,10 +33,10 @@ import java.util.Map;
 import java.util.Arrays;
 import java.util.List;
 import java.util.logging.Level;
-import java.util.Random;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.InvalidKeyException;
+import java.security.SecureRandom;
 import java.security.spec.KeySpec;
 import java.security.spec.InvalidKeySpecException;
 import java.security.InvalidAlgorithmParameterException;
@@ -59,6 +59,7 @@ import javax.security.auth.callback.CallbackHandler;
 import javax.security.sasl.*;
 
 import com.sun.security.sasl.util.AbstractSaslImpl;
+import sun.security.jca.JCAUtil;
 
 /**
  * Utility class for DIGEST-MD5 mechanism. Provides utility methods
@@ -132,6 +133,9 @@ abstract class DigestMD5Base extends AbstractSaslImpl {
 
     protected static final byte[] EMPTY_BYTE_ARRAY = new byte[0];
 
+    /* SecureRandom instance to generate nonce */
+    private static final SecureRandom SECURE_RANDOM = JCAUtil.getDefSecureRandom();
+
     /* ------------------- Variable Fields ----------------------- */
 
     /* Used to track progress of authentication; step numbers from RFC 2831 */
@@ -269,7 +273,6 @@ abstract class DigestMD5Base extends AbstractSaslImpl {
      * is slightly faster and a more compact representation of the same info.
      * @return A non-null byte array containing the nonce value for the
      * digest challenge or response.
-     * Could use SecureRandom to be more secure but it is very slow.
      */
 
     /** This array maps the characters to their 6 bit values */
@@ -293,10 +296,8 @@ abstract class DigestMD5Base extends AbstractSaslImpl {
 
     protected static final byte[] generateNonce() {
 
-        // SecureRandom random = new SecureRandom();
-        Random random = new Random();
         byte[] randomData = new byte[RAW_NONCE_SIZE];
-        random.nextBytes(randomData);
+        SECURE_RANDOM.nextBytes(randomData);
 
         byte[] nonce = new byte[ENCODED_NONCE_SIZE];