Security Advisory WSO2-2025-4494/CVE-2025-9312

Published: 2025-11-13

Version: 1.0.0

Severity: Critical

CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE IDs: CVE-2025-9312

AFFECTED PRODUCTS

  • WSO2 API Control Plane 4.5.0
  • WSO2 API Manager 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0, 3.0.0, 2.6.0, 2.5.0, 2.2.0
  • WSO2 Identity Server as Key Manager 5.10.0, 5.9.0, 5.7.0, 5.6.0, 5.5.0, 5.3.0
  • WSO2 Identity Server 7.1.0, 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0, 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, 5.4.1, 5.4.0, 5.3.0, 5.2.0
  • WSO2 Open Banking KM 1.5.0, 1.4.0
  • WSO2 Open Banking AM 2.0.0, 1.5.0, 1.4.0
  • WSO2 Open Banking IAM 2.0.0
  • WSO2 Traffic Manager 4.5.0
  • WSO2 Universal Gateway 4.5.0

OVERVIEW

Potential account takeover via mutual TLS-based authentication.

DESCRIPTION

In the mutual TLS (mTLS) implementation used for System REST APIs and SOAP services of WSO2 products:

  • Unauthenticated access to System REST APIs could occur when relying on the default mTLS configuration, which allows access without additional authentication.

  • This is enabled by default in the following products:

    • WSO2 Identity Server
    • WSO2 Identity Server Key Manager
    • WSO2 Open Banking IAM
    • WSO2 Open Banking Key Manager

  • This is disabled by default in all other products. However, we recommend reviewing your configurations based on the details of this advisory.

  • Unauthenticated access to SOAP services could occur if the mTLS authenticator is enabled, allowing access without additional authentication. This authenticator is not included with WSO2 API Manager and WSO2 Open Banking AM.

IMPACT

Successful exploitation of this vulnerability could allow a malicious actor to gain administrative access to the affected product and perform unauthorized operations.

Although the following flows use similar certificate-based authentication, those are not affected by this vulnerability:

  1. Mutual TLS OAuth client authentication [^1]
  2. X.509 certificate–based authentication [^2]

Additionally, any APIs created and exposed through the WSO2 API Manager's API Gateway remain unaffected.

SOLUTION

If you use multiple WSO2 products or multiple product profiles, you need to evaluate the solution for each of them separately.

You could use the WSO2 products in the following manner with regard to mTLS:

  • Use case 1: You don't have any clients that use mTLS to connect to the WSO2 products.
  • Use case 2: You have clients that use mTLS to connect to the WSO2 products for transport-level security, but don't use certificate-based authentication for System REST APIs or SOAP services.
  • Use case 3: You have clients that use mTLS to connect to the WSO2 products, and use certificate-based authentication for System REST API or SOAP service access.

If you are using any of the following features on top of any of the following versions, certificate-based authentication is used internally for System REST APIs. Therefore, you must refer to instructions for Use case 3.

If you use the products with "Use case 1", you don't need to update the product; instead, you are required to apply the provided safeguards as instructed in instructions for Use case 1.

If you use the products with "Use cases 2" or "Use case 3", you may need to update the product and apply the safeguards as instructed below:

Community Users (Open Source)

Apply the relevant fixes to your product using the public fix(es) provided below.

If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).

Support Subscription Holders

Update your product to the specified update level or a higher update level to apply the fix.

Info

WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.

Product Name Product Version U2 Update Level
WSO2 API Manager 2.2.0 58
WSO2 API Manager 2.5.0 84
WSO2 API Manager 2.6.0 145
WSO2 API Manager 3.0.0 175
WSO2 API Manager 3.1.0 339
WSO2 API Manager 3.2.0 439
WSO2 API Manager 3.2.1 59
WSO2 API Manager 4.0.0 359
WSO2 API Manager 4.1.0 222
WSO2 API Manager 4.2.0 161
WSO2 API Manager 4.3.0 73
WSO2 API Manager 4.4.0 37
WSO2 API Manager 4.5.0 21
WSO2 API Control Plane 4.5.0 22
WSO2 Traffic Manager 4.5.0 20
WSO2 Universal Gateway 4.5.0 20
WSO2 Identity Server as Key Manager 5.3.0 39
WSO2 Identity Server as Key Manager 5.5.0 52
WSO2 Identity Server as Key Manager 5.6.0 74
WSO2 Identity Server as Key Manager 5.7.0 124
WSO2 Identity Server as Key Manager 5.9.0 175
WSO2 Identity Server as Key Manager 5.10.0 358
WSO2 Identity Server 5.2.0 33
WSO2 Identity Server 5.3.0 34
WSO2 Identity Server 5.4.0 33
WSO2 Identity Server 5.4.1 37
WSO2 Identity Server 5.5.0 51
WSO2 Identity Server 5.6.0 59
WSO2 Identity Server 5.7.0 125
WSO2 Identity Server 5.8.0 109
WSO2 Identity Server 5.9.0 168
WSO2 Identity Server 5.10.0 368
WSO2 Identity Server 5.11.0 411
WSO2 Identity Server 6.0.0 243
WSO2 Identity Server 6.1.0 241
WSO2 Identity Server 7.0.0 116
WSO2 Identity Server 7.1.0 23
WSO2 Open Banking KM 1.4.0 132
WSO2 Open Banking KM 1.5.0 122
WSO2 Open Banking AM 1.4.0 138
WSO2 Open Banking AM 1.5.0 139
WSO2 Open Banking AM 2.0.0 388
WSO2 Open Banking IAM 2.0.0 408

Note

After applying this update, the product's default behavior is changed to restrict vulnerable flows.

We have tested the general product use cases after incorporating this fix. However, please make sure to test your business use cases in development/test environments before proceeding to update the production environment, especially if you are using the products with the "Use case 3" outlined in the solution section above.

Referances

[^1] https://is.docs.wso2.com/en/7.1.0/references/app-settings/oidc-settings-for-app/#client-authentication

[^2] https://is.docs.wso2.com/en/7.1.0/guides/authentication/mfa/add-x509-login/