Missing Authentication Enforcement in WSO2 Products
CVE-2025-9312

9.8CRITICAL

Key Information:

Vendor

Wso2

Status
Wso2 Api Manager
Wso2 Api Control Plane
Wso2 Traffic Manager
Wso2 Universal Gateway
Vendor
CVE Published:
18 November 2025

What is CVE-2025-9312?

A vulnerability in the mutual TLS (mTLS) implementation across various WSO2 products allows certain default configurations to bypass authentication checks. Specifically, the improper validation of client certificate-based authentication can lead to unauthenticated requests being processed by System REST APIs and SOAP services. Attackers with network access to the affected endpoints may exploit this flaw to gain administrative privileges and execute unauthorized operations. This vulnerability arises when default mTLS settings are utilized, and it does not impact all forms of certificate-based authentication; other mechanisms, including Mutual TLS OAuth client authentication and X.509 login flows, remain secure.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

org.wso2.carbon.identity.auth.service 1.1.1 < 1.1.1.2

org.wso2.carbon.identity.auth.service 1.1.16 < 1.1.16.3

org.wso2.carbon.identity.auth.service 1.1.18 < 1.1.18.4

References

https://security.docs.wso2.com/en/latest/security-announc...
vendor-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.