CVE-2025-0672

LOW

WSO2 Identity Server - Authentication Bypass via FIDO Registration Data

Title source: llm

Description

An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO device. This flaw may allow a previously deleted user to authenticate using their FIDO credentials and impersonate the newly created user, resulting in unauthorized access. The vulnerability applies only to deployments that utilize FIDO-based authentication.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3134/

Scores

CVSS v3 3.3

EPSS 0.0021

EPSS Percentile 10.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (4)

wso2/identity_server 5.10.0

wso2/identity_server 5.11.0

wso2/identity_server_as_key_manager 5.10.0

wso2/open_banking_iam 2.0.0

Published Sep 23, 2025

Tracked Since Feb 18, 2026