CVE-2025-9312
published 2025-11-18CVE-2025-9312: A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.22%
12.6th percentile
A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is enabled. This condition occurs when relying on the default mTLS settings for System REST APIs or when the mTLS authenticator is enabled for SOAP services, causing these interfaces to accept requests without enforcing additional authentication.
Successful exploitation allows a malicious actor with network access to the affected endpoints to gain administrative privileges and perform unauthorized operations. The vulnerability is exploitable only when the impacted mTLS flows are enabled and accessible in a given deployment. Other certificate-based authentication mechanisms such as Mutual TLS OAuth client authentication and X.509 login flows are not affected, and APIs served through the API Gateway of WSO2 API Manager remain unaffected.
Affected
102 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | api_control_plane | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated requests reaching WSO2 System REST API or SOAP service endpoints — successful exploitation bypasses mTLS authentication entirely, so requests lacking valid client certificate negotiation reaching these interfaces are suspicious ↗
- →Alert on unexpected administrative operations or privilege escalation originating from network-accessible WSO2 System REST API or SOAP endpoints, as exploitation grants administrative privileges ↗
- →Scope detection to deployments where mTLS flows for System REST APIs or SOAP services are enabled; APIs served through the WSO2 API Manager API Gateway are NOT affected and should be excluded from alerting ↗
- ·Vulnerability is only exploitable when the default mTLS settings are in use for System REST APIs, OR when the mTLS authenticator is explicitly enabled for SOAP services — deployments not using these specific mTLS flows are not at risk ↗
- ·Mutual TLS OAuth client authentication and X.509 login flows are explicitly confirmed as NOT affected; do not conflate these with the vulnerable mTLS implementation ↗
- ·WSO2 API Manager API Gateway-fronted APIs are not affected; only direct System REST API and SOAP service endpoints are in scope ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-12107 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2025-12107 [HIGH] CVE-2025-12107 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12107 :
WSO2 Identity Server vulnerability analysis and mitigation
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates.
Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.
Source : NVD
## 7.2
Score
Published February 19, 2026
Severity HIGH
CNA Score 8.4
Affected Technologies
WSO2 Identity Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
CVE-2024-1524 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2024-1524 [HIGH] CVE-2024-1524 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-1524 :
WSO2 API Manager vulnerability analysis and mitigation
When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users.
There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control.
The Deployment should have:
-An IDP configured for federated authentication with Silent JIT provisioning enabled.
The malicious actor should have:
-A fre
2025-11-18
Published