CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2025-0672

An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO device. This flaw may allow a previously deleted user to authenticate using their FIDO credentials and impersonate the newly created user, resulting in unauthorized access. The vulnerability applies only to deployments that utilize FIDO-based authentication.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 15.0%

CVSS Severity

CVSS v3 Score 3.3

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3134/

Products affected by CVE-2025-0672

Wso2 » Identity Server » Version: 5.10.0

cpe:2.3:a:wso2:identity_server:5.10.0
Wso2 » Identity Server » Version: 5.11.0

cpe:2.3:a:wso2:identity_server:5.11.0
Wso2 » Identity Server As Key Manager » Version: 5.10.0

cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0
Wso2 » Open Banking Iam » Version: 2.0.0

cpe:2.3:a:wso2:open_banking_iam:2.0.0

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2025-0672

Products

Pricing

Contact Us