Strix
26.1K

CVE-2025-0663

MEDIUMCVSS 6.8/10EPSS 0.23%

Last modified

CVE-2025-0663 is a medium-severity vulnerability rated 6.8/10 on the CVSS scale. A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single cryptographic key is used across all tenants to sign authentication cookies, allowing a privileged user in one tenant to forge authentication cookies for users in other tenants. Because the Auto-Login feature is enabled by default, this flaw may allow an attacker to gain unauthorized access and potentially take over accounts in other tenants. EPSS estimates a 0.23% chance of exploitation in the next 30 days.

Description

A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single cryptographic key is used across all tenants to sign authentication cookies, allowing a privileged user in one tenant to forge authentication cookies for users in other tenants. Because the Auto-Login feature is enabled by default, this flaw may allow an attacker to gain unauthorized access and potentially take over accounts in other tenants. Successful exploitation requires access to Adaptive Authentication functionality, which is typically restricted to high-privileged users. The vulnerability is only exploitable when Auto-Login is enabled, reducing its practical impact in deployments where the feature is disabled.

Metrics

CVSS 3.1
6.8/10

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.23%

13.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Wso2Identity Server5.10.0
Wso2Identity Server5.11.0
Wso2Identity Server6.0.0
Wso2Identity Server6.1.0
Wso2Identity Server7.0.0
Wso2Identity Server As Key Manager5.10.0
Wso2Open Banking Iam2.0.0

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2025-0663?
A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single cryptographic key is used across all tenants to sign authentication cookies, allowing a privileged user in one tenant to forge authentication cookies for users in other tenants. Because the Auto-Login feature is enabled by default, this flaw may allow an attacker to gain unauthorized access and potentially take over accounts in other tenants. Successful exploitation requires access to Adaptive Authentication functionality, which is typically restricted to high-privileged users. The vulnerability is only exploitable when Auto-Login is enabled, reducing its practical impact in deployments where the feature is disabled.
How severe is CVE-2025-0663?
CVE-2025-0663 has a CVSS score of 6.8/10 (MEDIUM severity). The EPSS model estimates a 0.23% probability of exploitation in the next 30 days.
How do I fix CVE-2025-0663?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-0663?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST