WSO2 Identity Server FIDO Auth Bypass Leads to User Impersonation
CVE-2025-0672 Published on September 23, 2025
Authentication Bypass in Multiple WSO2 Products via Stale FIDO Credential Association
An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO device.
This flaw may allow a previously deleted user to authenticate using their FIDO credentials and impersonate the newly created user, resulting in unauthorized access. The vulnerability applies only to deployments that utilize FIDO-based authentication.
Vulnerability Analysis
CVE-2025-0672 is exploitable with network access, and requires user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2025-0672 has been classified to as an authentification vulnerability or weakness.
Products Associated with CVE-2025-0672
stack.watch emails you whenever new vulnerabilities are published in Wso2 Identity Server As Key Manager or Wso2 Identity Server. Just hit a watch button to start following.
Affected Versions
WSO2 Identity Server as Key Manager:- Before 5.10.0 is unknown.
- Version 5.10.0 and below 5.10.0.338 is affected.
- Before 5.10.0 is unknown.
- Version 5.10.0 and below 5.10.0.345 is affected.
- Version 5.11.0 and below 5.11.0.394 is affected.
- Version 2.0.0 and below 2.0.0.389 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.