CVE-2025-9312
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-12-08
Assigner: WSO2 LLC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wso2 | api_control_plane | 4.5.0 |
| wso2 | api_manager | 2.2.0 |
| wso2 | api_manager | 2.5.0 |
| wso2 | api_manager | 2.6.0 |
| wso2 | api_manager | 3.0.0 |
| wso2 | api_manager | 3.1.0 |
| wso2 | api_manager | 3.2.0 |
| wso2 | api_manager | 3.2.1 |
| wso2 | api_manager | 4.0.0 |
| wso2 | api_manager | 4.1.0 |
| wso2 | api_manager | 4.2.0 |
| wso2 | api_manager | 4.3.0 |
| wso2 | api_manager | 4.4.0 |
| wso2 | api_manager | 4.5.0 |
| wso2 | identity_server | 5.2.0 |
| wso2 | identity_server | 5.3.0 |
| wso2 | identity_server | 5.4.0 |
| wso2 | identity_server | 5.4.1 |
| wso2 | identity_server | 5.5.0 |
| wso2 | identity_server | 5.6.0 |
| wso2 | identity_server | 5.7.0 |
| wso2 | identity_server | 5.8.0 |
| wso2 | identity_server | 5.9.0 |
| wso2 | identity_server | 5.10.0 |
| wso2 | identity_server | 5.11.0 |
| wso2 | identity_server | 6.0.0 |
| wso2 | identity_server | 6.1.0 |
| wso2 | identity_server | 7.0.0 |
| wso2 | identity_server | 7.1.0 |
| wso2 | identity_server | 7.2.0 |
| wso2 | identity_server_as_key_manager | 5.3.0 |
| wso2 | identity_server_as_key_manager | 5.5.0 |
| wso2 | identity_server_as_key_manager | 5.6.0 |
| wso2 | identity_server_as_key_manager | 5.7.0 |
| wso2 | identity_server_as_key_manager | 5.9.0 |
| wso2 | identity_server_as_key_manager | 5.10.0 |
| wso2 | open_banking_am | 1.4.0 |
| wso2 | open_banking_am | 1.5.0 |
| wso2 | open_banking_am | 2.0.0 |
| wso2 | open_banking_iam | 2.0.0 |
| wso2 | open_banking_km | 1.4.0 |
| wso2 | open_banking_km | 1.5.0 |
| wso2 | traffic_manager | 4.5.0 |
| wso2 | universal_gateway | 4.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a missing authentication enforcement issue in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificateβbased authentication in certain default configurations, these components may allow unauthenticated requests even when mTLS is enabled. This means that the system might accept requests without properly verifying the client's identity, potentially allowing unauthorized access.
How can this vulnerability impact me? :
If exploited, a malicious actor with network access to the affected endpoints can gain administrative privileges and perform unauthorized operations. This could lead to a complete compromise of the affected system's confidentiality, integrity, and availability. However, exploitation is only possible when the impacted mTLS flows are enabled and accessible in the deployment.