CVE-2025-0663
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-23

Last updated on: 2025-10-06

Assigner: WSO2 LLC

Description
A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single cryptographic key is used across all tenants to sign authentication cookies, allowing a privileged user in one tenant to forge authentication cookies for users in other tenants. Because the Auto-Login feature is enabled by default, this flaw may allow an attacker to gain unauthorized access and potentially take over accounts in other tenants. Successful exploitation requires access to Adaptive Authentication functionality, which is typically restricted to high-privileged users. The vulnerability is only exploitable when Auto-Login is enabled, reducing its practical impact in deployments where the feature is disabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-23
Last Modified
2025-10-06
Generated
2026-06-16
AI Q&A
2025-09-23
EPSS Evaluated
2026-06-14
NVD
CVE-2025-0663
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
wso2 identity_server 5.10.0
wso2 identity_server 5.11.0
wso2 identity_server 6.0.0
wso2 identity_server 6.1.0
wso2 identity_server 7.0.0
wso2 identity_server_as_key_manager 5.10.0
wso2 open_banking_iam 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a cross-tenant authentication issue in multiple WSO2 products caused by improper cryptographic design in Adaptive Authentication. Specifically, a single cryptographic key is used across all tenants to sign authentication cookies. This allows a privileged user in one tenant to forge authentication cookies for users in other tenants, potentially gaining unauthorized access.

Impact Analysis

If exploited, this vulnerability can allow an attacker with high privileges in one tenant to gain unauthorized access to accounts in other tenants, potentially taking over those accounts. The impact is significant because it affects confidentiality, integrity, and availability of user accounts across tenants. However, exploitation requires access to Adaptive Authentication functionality and the Auto-Login feature must be enabled.

Mitigation Strategies

To mitigate this vulnerability, you should disable the Auto-Login feature in your WSO2 products, as the vulnerability is only exploitable when Auto-Login is enabled. Additionally, restrict access to the Adaptive Authentication functionality to only the highest privileged users to reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-0663. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart