cbcvebase.
CVE-2025-0663
published 2025-09-23

CVE-2025-0663: A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single…

PriorityP336medium6.8CVSS 3.1
AVAACLPRHUINSUCHIHAH
EPSS
0.23%
13.2th percentile
A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single cryptographic key is used across all tenants to sign authentication cookies, allowing a privileged user in one tenant to forge authentication cookies for users in other tenants. Because the Auto-Login feature is enabled by default, this flaw may allow an attacker to gain unauthorized access and potentially take over accounts in other tenants. Successful exploitation requires access to Adaptive Authentication functionality, which is typically restricted to high-privileged users. The vulnerability is only exploitable when Auto-Login is enabled, reducing its practical impact in deployments where the feature is disabled.

Affected

14 ranges
VendorProductVersion rangeFixed in
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server_as_key_manager
wso2open_banking_iam
wso2wso2_identity_server>= 5.10.0 < 5.10.0.3435.10.0.343
wso2wso2_identity_server>= 5.11.0 < 5.11.0.3925.11.0.392
wso2wso2_identity_server>= 6.0.0 < 6.0.0.2286.0.0.228
wso2wso2_identity_server>= 6.1.0 < 6.1.0.2206.1.0.220
wso2wso2_identity_server>= 7.0.0 < 7.0.0.887.0.0.88
wso2wso2_identity_server_as_key_manager>= 5.10.0 < 5.10.0.3365.10.0.336
wso2wso2_open_banking_iam>= 2.0.0 < 2.0.0.3872.0.0.387
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.