Strix
26.1K

CVE-2025-10908

HIGHCVSS 7.3/10EPSS 0.23%

Last modified

CVE-2025-10908 is a high-severity vulnerability rated 7.3/10 on the CVSS scale. Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. EPSS estimates a 0.23% chance of exploitation in the next 30 days.

Description

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts.

Metrics

CVSS 3.1
7.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Probability
0.23%

13.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Wso2Identity Server>= 6.0.0, < 6.0.0.249
Wso2Identity Server>= 6.1.0, < 6.1.0.248
Wso2Identity Server>= 7.0.0, < 7.0.0.124
Wso2Identity Server>= 7.1.0, < 7.1.0.31

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2025-10908?
Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts.
How severe is CVE-2025-10908?
CVE-2025-10908 has a CVSS score of 7.3/10 (HIGH severity). The EPSS model estimates a 0.23% probability of exploitation in the next 30 days.
How do I fix CVE-2025-10908?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-10908?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST