CVE-2025-0663
📋 TL;DR
A cross-tenant authentication vulnerability in WSO2 products allows privileged users in one tenant to forge authentication cookies for users in other tenants. This could lead to unauthorized access and account takeover in multi-tenant deployments. The vulnerability affects WSO2 products with Adaptive Authentication enabled and Auto-Login feature active.
💻 Affected Systems
- WSO2 Identity Server
- WSO2 API Manager
- WSO2 Enterprise Integrator
- WSO2 Micro Integrator
- WSO2 Streaming Integrator
- WSO2 Micro Gateway
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Privileged attacker gains unauthorized access to any user account in other tenants, potentially leading to full account takeover and data compromise across the multi-tenant environment.
Likely Case
Privileged user with access to Adaptive Authentication functionality exploits the vulnerability to access limited accounts in other tenants where Auto-Login is enabled.
If Mitigated
With Auto-Login disabled, the vulnerability cannot be exploited, though the underlying cryptographic flaw remains present.
🎯 Exploit Status
Exploitation requires privileged access to Adaptive Authentication functionality and Auto-Login enabled. Attack involves cryptographic cookie forgery.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.1.0 and later
Vendor Advisory: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3864/
Restart Required: No
Instructions:
1. Upgrade affected WSO2 products to version 7.1.0 or later. 2. Apply the security patch provided by WSO2. 3. Verify the fix by checking that tenant-specific cryptographic keys are now used for authentication cookies.
🔧 Temporary Workarounds
Disable Auto-Login Feature
allDisable the Auto-Login feature in WSO2 products to prevent exploitation of this vulnerability.
Navigate to WSO2 Management Console > Identity Providers > Resident > Authentication Configuration > Auto Login Configuration > Disable
🧯 If You Can't Patch
- Disable Auto-Login feature immediately in all affected deployments.
- Restrict access to Adaptive Authentication functionality to only essential privileged users.
🔍 How to Verify
Check if Vulnerable:
Check if using WSO2 product version 7.0.0 or earlier with Adaptive Authentication and Auto-Login enabled.Check Version:
Check WSO2 product version in management console or via product documentation.Verify Fix Applied:
Verify product version is 7.1.0 or later and confirm tenant-specific cryptographic keys are used for authentication cookies.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns across tenant boundaries
- Failed authentication attempts followed by successful logins from different tenants
- Administrative access to Adaptive Authentication functionality
Network Indicators:
- Authentication requests originating from unexpected tenant contexts
- Cookie manipulation attempts in authentication flows
SIEM Query:
source="wso2" AND (event_type="authentication" AND tenant_id!="expected_tenant") OR (event_type="admin_access" AND resource="adaptive_authentication")