Username Enumeration Vulnerability in WSO2 Products
CVE-2025-1396

3.7LOW

Key Information:

Vendor: Wso2
Status: Wso2 Identity Server; Wso2 Open Banking Iam; Wso2 Identity Server As Key Manager
Vendor: CVE Published:; 26 September 2025

What is CVE-2025-1396?

A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. This results in the application returning a distinct 'User does not exist' message upon failed login attempts, independent of the username validation setting. Malicious actors can exploit this response characteristic to ascertain which usernames are valid within the system. This information could facilitate brute-force attacks, targeted phishing campaigns, and other social engineering techniques by confirming the presence of valid user identifiers.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WSO2 Identity Server 5.10.0 < 5.10.0.346

WSO2 Identity Server 5.11.0 < 5.11.0.395

WSO2 Identity Server 6.0.0 < 6.0.0.231

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 26, 2025
Vulnerability Reserved
Feb 17, 2025

JSON

Wso2

What is CVE-2025-1396?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.