Cross-Tenant Authentication Vulnerability in WSO2 Products
CVE-2025-0663

6.8MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Open Banking Iam; Wso2 Identity Server As Key Manager; Wso2 Identity Server
Vendor: CVE Published:; 23 September 2025

What is CVE-2025-0663?

A cross-tenant authentication vulnerability has been identified in multiple WSO2 products due to inadequate cryptographic design in the Adaptive Authentication feature. Specifically, a single cryptographic key is utilized across all tenants for signing authentication cookies, which can allow a user with elevated privileges in one tenant to fabricate authentication cookies, thereby gaining unauthorized access to user accounts in other tenants. The issue is exacerbated by the fact that the Auto-Login feature is enabled by default, increasing the risk of account takeovers. While successful exploitation requires access to Adaptive Authentication capabilities—typically restricted to high-privilege users—the actual impact of this flaw diminishes in environments where Auto-Login has been disabled.

Affected Version(s)

WSO2 Identity Server 5.10.0 < 5.10.0.343

WSO2 Identity Server 5.11.0 < 5.11.0.392

WSO2 Identity Server 6.0.0 < 6.0.0.228

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 23, 2025
Vulnerability Reserved
Jan 23, 2025

JSON

Wso2

What is CVE-2025-0663?

Affected Version(s)

References

CVSS V3.1

Timeline