CVE-2025-9312

Published: Nov 18, 2025

Modified: Nov 18, 2025

PUBLISHED

CVSS v3.1

9.8

CRITICAL

Description

A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is enabled. This condition occurs when relying on the default mTLS settings for System REST APIs or when the mTLS authenticator is enabled for SOAP services, causing these interfaces to accept requests without enforcing additional authentication. Successful exploitation allows a malicious actor with network access to the affected endpoints to gain administrative privileges and perform unauthorized operations. The vulnerability is exploitable only when the impacted mTLS flows are enabled and accessible in a given deployment. Other certificate-based authentication mechanisms such as Mutual TLS OAuth client authentication and X.509 login flows are not affected, and APIs served through the API Gateway of WSO2 API Manager remain unaffected.

Vendor	Product	Versions
WSO2	WSO2 API Manager	unknown `0 - < 2.2.0` affected `2.2.0 - < 2.2.0.58` affected `2.5.0 - < 2.5.0.84` affected `2.6.0 - < 2.6.0.145` affected `3.0.0 - < 3.0.0.175` +9 more versions
WSO2	WSO2 API Control Plane	affected `4.5.0 - < 4.5.0.22`
WSO2	WSO2 Traffic Manager	affected `4.5.0 - < 4.5.0.20`
WSO2	WSO2 Universal Gateway	affected `4.5.0 - < 4.5.0.20`
WSO2	WSO2 Identity Server as Key Manager	unknown `0 - < 5.3.0` affected `5.3.0 - < 5.3.0.39` affected `5.5.0 - < 5.5.0.52` affected `5.6.0 - < 5.6.0.74` affected `5.7.0 - < 5.7.0.124` +2 more versions
WSO2	WSO2 Identity Server	unknown `0 - < 5.2.0` affected `5.2.0 - < 5.2.0.33` affected `5.3.0 - < 5.3.0.34` affected `5.4.0 - < 5.4.0.33` affected `5.4.1 - < 5.4.1.37` +11 more versions
WSO2	WSO2 Open Banking KM	unknown `0 - < 1.4.0` affected `1.4.0 - < 1.4.0.132` affected `1.5.0 - < 1.5.0.122`
WSO2	WSO2 Open Banking AM	unknown `0 - < 1.4.0` affected `1.4.0 - < 1.4.0.138` affected `1.5.0 - < 1.5.0.139` affected `2.0.0 - < 2.0.0.388`
WSO2	WSO2 Open Banking IAM	affected `2.0.0 - < 2.0.0.408`
WSO2	org.wso2.carbon.identity.auth.service	affected `1.1.1 - < 1.1.1.2` affected `1.1.16 - < 1.1.16.3` affected `1.1.18 - < 1.1.18.4` affected `1.1.20 - < 1.1.20.5` affected `1.1.26 - < 1.1.26.7` +11 more versions

Weaknesses (CWE)

CWE-306

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4494/

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-9312

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References