Authentication Bypass in Multiple WSO2 Products via Stale FIDO Credential...

3.3 / 10

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

Description

An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO device.

This flaw may allow a previously deleted user to authenticate using their FIDO credentials and impersonate the newly created user, resulting in unauthorized access. The vulnerability applies only to deployments that utilize FIDO-based authentication.

Basic Information

ID CVE-2025-0672

Source WSO2

Published Sep 23, 2025 at 17:30

Affected Product

Vendor WSO2

Product WSO2 Identity Server as Key Manager

Affected Versions WSO2 WSO2 Identity Server as Key Manager 5.10.0
WSO2 WSO2 Identity Server 5.10.0
WSO2 WSO2 Identity Server 5.11.0
WSO2 WSO2 Open Banking IAM 2.0.0

References

security.docs.wso2.com /en/latest/security-announcements/security-advisories/2025/WSO2-2025-3134/

{
    "lastseen": "",
    "description": "An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO device.\n\nThis flaw may allow a previously deleted user to authenticate using their FIDO credentials and impersonate the newly created user, resulting in unauthorized access. The vulnerability applies only to deployments that utilize FIDO-based authentication.",
    "published": "2025-09-23T17:30:42.687Z",
    "modified": "2025-09-23T17:30:42.687Z",
    "type": "cve",
    "title": "Authentication Bypass in Multiple WSO2 Products via Stale FIDO Credential Association",
    "source": "WSO2",
    "references": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3134/",
    "id": "CVE-2025-0672",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "WSO2 WSO2 Identity Server as Key Manager 5.10.0\nWSO2 WSO2 Identity Server 5.10.0\nWSO2 WSO2 Identity Server 5.11.0\nWSO2 WSO2 Open Banking IAM 2.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 3.3,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WSO2 Identity Server as Key Manager",
    "version": "0",
    "vendor": "WSO2",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Authentication Bypass in Multiple WSO2 Products via Stale FIDO Credential Association_CVE-2025-0672

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply