CVE-2025-0663: 
WSO2 Identity Server vulnerability analysis and mitigation

A cross-tenant authentication vulnerability (CVE-2025-0663) was discovered in multiple WSO2 products, specifically affecting their Adaptive Authentication functionality. The vulnerability was disclosed on September 23, 2025, impacting various versions of WSO2 Identity Server, Identity Server as Key Manager, and Open Banking IAM products (NVD).

The vulnerability stems from an improper cryptographic design in Adaptive Authentication where a single cryptographic key is used across all tenants to sign authentication cookies. The severity of this vulnerability has been assessed with a CVSS v3.1 Base Score of 6.8 (Medium), with the vector string CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability has been classified under CWE-287 (Improper Authentication) (NVD).

The vulnerability allows a privileged user in one tenant to forge authentication cookies for users in other tenants. Since the Auto-Login feature is enabled by default, this could lead to unauthorized access and potential account takeover in other tenants. The impact is particularly significant in multi-tenant environments where tenant isolation is crucial (NVD).

Affected organizations should review their WSO2 deployments, particularly focusing on the Auto-Login feature configuration. The vulnerability affects multiple versions including WSO2 Identity Server (versions 5.10.0, 5.11.0, 6.0.0, 6.1.0, 7.0.0), Identity Server as Key Manager (version 5.10.0), and Open Banking IAM (version 2.0.0) (NVD).