Unrated severityNVD Advisory· Published Sep 23, 2025· Updated Sep 25, 2025

Authentication Bypass in Multiple WSO2 Products via Stale FIDO Credential Association

CVE-2025-0672

Description

An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO device.

This flaw may allow a previously deleted user to authenticate using their FIDO credentials and impersonate the newly created user, resulting in unauthorized access. The vulnerability applies only to deployments that utilize FIDO-based authentication.

Affected products

WSO2/WSO2 Identity Serverv5
Range: 5.10.0
WSO2/WSO2 Identity Server as Key Managerv5
Range: 5.10.0
WSO2/WSO2 Open Banking IAMv5
Range: 2.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3134/mitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000