WSO2 Cross-Tenant Auth Cookie Forgery via Shared Key
CVE-2025-0663 Published on September 23, 2025
Potential cross-tenant account takeover vulnerability in Multiple WSO2 Products via Adaptive Authentication and Auto-Login
A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single cryptographic key is used across all tenants to sign authentication cookies, allowing a privileged user in one tenant to forge authentication cookies for users in other tenants.
Because the Auto-Login feature is enabled by default, this flaw may allow an attacker to gain unauthorized access and potentially take over accounts in other tenants. Successful exploitation requires access to Adaptive Authentication functionality, which is typically restricted to high-privileged users. The vulnerability is only exploitable when Auto-Login is enabled, reducing its practical impact in deployments where the feature is disabled.
Vulnerability Analysis
Weakness Type
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2025-0663 has been classified to as an authentification vulnerability or weakness.
Products Associated with CVE-2025-0663
stack.watch emails you whenever new vulnerabilities are published in Wso2 Identity Server As Key Manager or Wso2 Identity Server. Just hit a watch button to start following.
Affected Versions
WSO2 Open Banking IAM:- Version 2.0.0 and below 2.0.0.387 is affected.
- Before 5.10.0 is unknown.
- Version 5.10.0 and below 5.10.0.336 is affected.
- Before 5.10.0 is unknown.
- Version 5.10.0 and below 5.10.0.343 is affected.
- Version 5.11.0 and below 5.11.0.392 is affected.
- Version 6.0.0 and below 6.0.0.228 is affected.
- Version 6.1.0 and below 6.1.0.220 is affected.
- Version 7.0.0 and below 7.0.0.88 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.