CVE-2025-0663
published 2025-09-23CVE-2025-0663: A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single…
PriorityP336medium6.8CVSS 3.1
AVAACLPRHUINSUCHIHAH
EPSS
0.23%
13.2th percentile
A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single cryptographic key is used across all tenants to sign authentication cookies, allowing a privileged user in one tenant to forge authentication cookies for users in other tenants.
Because the Auto-Login feature is enabled by default, this flaw may allow an attacker to gain unauthorized access and potentially take over accounts in other tenants. Successful exploitation requires access to Adaptive Authentication functionality, which is typically restricted to high-privileged users. The vulnerability is only exploitable when Auto-Login is enabled, reducing its practical impact in deployments where the feature is disabled.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server_as_key_manager | — | — |
| wso2 | open_banking_iam | — | — |
| wso2 | wso2_identity_server | >= 5.10.0 < 5.10.0.343 | 5.10.0.343 |
| wso2 | wso2_identity_server | >= 5.11.0 < 5.11.0.392 | 5.11.0.392 |
| wso2 | wso2_identity_server | >= 6.0.0 < 6.0.0.228 | 6.0.0.228 |
| wso2 | wso2_identity_server | >= 6.1.0 < 6.1.0.220 | 6.1.0.220 |
| wso2 | wso2_identity_server | >= 7.0.0 < 7.0.0.88 | 7.0.0.88 |
| wso2 | wso2_identity_server_as_key_manager | >= 5.10.0 < 5.10.0.336 | 5.10.0.336 |
| wso2 | wso2_open_banking_iam | >= 2.0.0 < 2.0.0.387 | 2.0.0.387 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2025-09-23
Published