Security Advisory WSO2-2025-3864/CVE-2025-0663¶
Published: 2025-05-29
Version: 1.0.0
Severity: Medium
CVSS Score: 6.8 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
AFFECTED PRODUCTS¶
- WSO2 Identity Server: 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0
- WSO2 Identity Server as Key Manager: 5.10.0
- WSO2 Open Banking IAM: 2.0.0
OVERVIEW¶
Potential cross-tenant account takeover vulnerability via adaptive authentication and auto-login.
DESCRIPTION¶
A single cryptographic key is used across all tenants to sign cookies generated by Adaptive Authentication. As a result, a privileged user from one tenant can forge the authentication cookies of users in other tenants. Because the Auto-Login feature is enabled by default, this allows for unauthorized access and potential account takeover across multiple tenants.
IMPACT¶
A successful attack could allow an attacker to compromise a victim’s account and impersonate them. However, exploiting this vulnerability requires specific privileges to utilize the Adaptive Authentication feature, a level of access generally limited to a small number of high-privileged users within WSO2 products. Additionally, the issue only arises if the Auto-Login feature is enabled. As a result, the practical likelihood of exploitation remains low under these narrow conditions.
SOLUTION¶
Community Users (Open Source)¶
We highly recommend to migrate to the latest version of respective WSO2 products to mitigate the identified vulnerabilities.
Support Subscription Holders¶
Update your product to the specified update level or a higher update level to apply the fix.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product | Version | U2 Update Level |
|---|---|---|
| WSO2 Identity Server | 7.0.0 | 88 |
| WSO2 Identity Server | 6.1.0 | 220 |
| WSO2 Identity Server | 6.0.0 | 228 |
| WSO2 Identity Server | 5.11.0 | 392 |
| WSO2 Identity Server | 5.10.0 | 343 |
| WSO2 Identity Server as Key Manager | 5.10.0 | 336 |
| WSO2 Open Banking IAM | 2.0.0 | 387 |