cbcvebase.
CVE-2025-9312
published 2025-11-18

CVE-2025-9312: A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.22%
12.6th percentile
A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is enabled. This condition occurs when relying on the default mTLS settings for System REST APIs or when the mTLS authenticator is enabled for SOAP services, causing these interfaces to accept requests without enforcing additional authentication. Successful exploitation allows a malicious actor with network access to the affected endpoints to gain administrative privileges and perform unauthorized operations. The vulnerability is exploitable only when the impacted mTLS flows are enabled and accessible in a given deployment. Other certificate-based authentication mechanisms such as Mutual TLS OAuth client authentication and X.509 login flows are not affected, and APIs served through the API Gateway of WSO2 API Manager remain unaffected.

Affected

102 ranges· showing 25
VendorProductVersion rangeFixed in
wso2api_control_plane
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for unauthenticated requests reaching WSO2 System REST API or SOAP service endpoints — successful exploitation bypasses mTLS authentication entirely, so requests lacking valid client certificate negotiation reaching these interfaces are suspicious
  • Alert on unexpected administrative operations or privilege escalation originating from network-accessible WSO2 System REST API or SOAP endpoints, as exploitation grants administrative privileges
  • Scope detection to deployments where mTLS flows for System REST APIs or SOAP services are enabled; APIs served through the WSO2 API Manager API Gateway are NOT affected and should be excluded from alerting
  • ·Vulnerability is only exploitable when the default mTLS settings are in use for System REST APIs, OR when the mTLS authenticator is explicitly enabled for SOAP services — deployments not using these specific mTLS flows are not at risk
  • ·Mutual TLS OAuth client authentication and X.509 login flows are explicitly confirmed as NOT affected; do not conflate these with the vulnerable mTLS implementation
  • ·WSO2 API Manager API Gateway-fronted APIs are not affected; only direct System REST API and SOAP service endpoints are in scope
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.