CVE-2025-9312

Summary

A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is enabled. This condition occurs when relying on the default mTLS settings for System REST APIs or when the mTLS authenticator is enabled for SOAP services, causing these interfaces to accept requests without enforcing additional authentication.

Successful exploitation allows a malicious actor with network access to the affected endpoints to gain administrative privileges and perform unauthorized operations. The vulnerability is exploitable only when the impacted mTLS flows are enabled and accessible in a given deployment. Other certificate-based authentication mechanisms such as Mutual TLS OAuth client authentication and X.509 login flows are not affected, and APIs served through the API Gateway of WSO2 API Manager remain unaffected.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 API Manager0 < 2.2.0unknown
WSO2WSO2 API Manager2.2.0 < 2.2.0.58affected
WSO2WSO2 API Manager2.5.0 < 2.5.0.84affected
WSO2WSO2 API Manager2.6.0 < 2.6.0.145affected
WSO2WSO2 API Manager3.0.0 < 3.0.0.175affected
WSO2WSO2 API Manager3.1.0 < 3.1.0.339affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.439affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.59affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.359affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.222affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.161affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.73affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.37affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.21affected
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.22affected
WSO2WSO2 Traffic Manager4.5.0 < 4.5.0.20affected
WSO2WSO2 Universal Gateway4.5.0 < 4.5.0.20affected
WSO2WSO2 Identity Server as Key Manager0 < 5.3.0unknown
WSO2WSO2 Identity Server as Key Manager5.3.0 < 5.3.0.39affected
WSO2WSO2 Identity Server as Key Manager5.5.0 < 5.5.0.52affected
WSO2WSO2 Identity Server as Key Manager5.6.0 < 5.6.0.74affected
WSO2WSO2 Identity Server as Key Manager5.7.0 < 5.7.0.124affected
WSO2WSO2 Identity Server as Key Manager5.9.0 < 5.9.0.175affected
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.358affected
WSO2WSO2 Identity Server0 < 5.2.0unknown
WSO2WSO2 Identity Server5.2.0 < 5.2.0.33affected
WSO2WSO2 Identity Server5.3.0 < 5.3.0.34affected
WSO2WSO2 Identity Server5.4.0 < 5.4.0.33affected
WSO2WSO2 Identity Server5.4.1 < 5.4.1.37affected
WSO2WSO2 Identity Server5.5.0 < 5.5.0.51affected
WSO2WSO2 Identity Server5.6.0 < 5.6.0.59affected
WSO2WSO2 Identity Server5.7.0 < 5.7.0.125affected
WSO2WSO2 Identity Server5.8.0 < 5.8.0.109affected
WSO2WSO2 Identity Server5.9.0 < 5.9.0.168affected
WSO2WSO2 Identity Server5.10.0 < 5.10.0.368affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.411affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.243affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.241affected
WSO2WSO2 Identity Server7.0.0 < 7.0.0.116affected
WSO2WSO2 Identity Server7.1.0 < 7.1.0.23affected
WSO2WSO2 Open Banking KM0 < 1.4.0unknown
WSO2WSO2 Open Banking KM1.4.0 < 1.4.0.132affected
WSO2WSO2 Open Banking KM1.5.0 < 1.5.0.122affected
WSO2WSO2 Open Banking AM0 < 1.4.0unknown
WSO2WSO2 Open Banking AM1.4.0 < 1.4.0.138affected
WSO2WSO2 Open Banking AM1.5.0 < 1.5.0.139affected
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.388affected
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.408affected
WSO2org.wso2.carbon.identity.auth.service1.1.1 < 1.1.1.2affected
WSO2org.wso2.carbon.identity.auth.service1.1.16 < 1.1.16.3affected
WSO2org.wso2.carbon.identity.auth.service1.1.18 < 1.1.18.4affected
WSO2org.wso2.carbon.identity.auth.service1.1.20 < 1.1.20.5affected
WSO2org.wso2.carbon.identity.auth.service1.1.26 < 1.1.26.7affected
WSO2org.wso2.carbon.identity.auth.service1.3.6 < 1.3.6.8affected
WSO2org.wso2.carbon.identity.auth.service1.4.0 < 1.4.0.18affected
WSO2org.wso2.carbon.identity.auth.service1.4.25 < 1.4.25.24affected
WSO2org.wso2.carbon.identity.auth.service1.4.52 < 1.4.52.4affected
WSO2org.wso2.carbon.identity.auth.service1.6.1 < 1.6.1.11affected
WSO2org.wso2.carbon.identity.auth.service1.7.1 < 1.7.1.4affected
WSO2org.wso2.carbon.identity.auth.service1.8.11 < 1.8.11.6affected
WSO2org.wso2.carbon.identity.auth.service1.8.41 < 1.8.41.2affected
WSO2org.wso2.carbon.identity.auth.service1.9.4 < 1.9.4.4affected
WSO2org.wso2.carbon.identity.auth.service1.9.18 < 1.9.18.2affected
WSO2org.wso2.carbon.identity.auth.service5.5.2 <= 5.5.2.*unaffected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References