CVE-2025-1396

Summary

A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validate_username setting. This behavior allows malicious actors to determine which usernames exist in the system based on observable discrepancies in the application's responses.

Exploitation of this vulnerability could aid in brute-force attacks, targeted phishing campaigns, or other social engineering techniques by confirming the validity of user identifiers within the system.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Identity Server0 < 5.10.0unknown
WSO2WSO2 Identity Server5.10.0 < 5.10.0.346affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.395affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.231affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.223affected
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.390affected
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.339affected

Weaknesses

  • CWE-203: CWE-203 Observable Discrepancy

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References