Missing Authentication Enforcement in WSO2 Products
CVE-2025-9312

9.8CRITICAL

Key Information:

Vendor: Wso2
Status: Wso2 Api Manager; Wso2 Api Control Plane; Wso2 Traffic Manager; Wso2 Universal Gateway
Vendor: CVE Published:; 18 November 2025

What is CVE-2025-9312?

A vulnerability in the mutual TLS (mTLS) implementation across various WSO2 products allows certain default configurations to bypass authentication checks. Specifically, the improper validation of client certificate-based authentication can lead to unauthenticated requests being processed by System REST APIs and SOAP services. Attackers with network access to the affected endpoints may exploit this flaw to gain administrative privileges and execute unauthorized operations. This vulnerability arises when default mTLS settings are utilized, and it does not impact all forms of certificate-based authentication; other mechanisms, including Mutual TLS OAuth client authentication and X.509 login flows, remain secure.

Affected Version(s)

org.wso2.carbon.identity.auth.service 1.1.1 < 1.1.1.2

org.wso2.carbon.identity.auth.service 1.1.16 < 1.1.16.3

org.wso2.carbon.identity.auth.service 1.1.18 < 1.1.18.4

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 18, 2025
Vulnerability Reserved
Aug 21, 2025

JSON

Wso2

What is CVE-2025-9312?

Affected Version(s)

References

CVSS V3.1

Timeline