CVE-2025-0672 LOW

CVE-2025-0672: Authentication Bypass in Multiple WSO2 Products via Stale FIDO Credential Association

Vendor Wso2
Product WSO2 Identity Server as Key Manager
Published September 23, 2025
Last update September 25, 2025

CVSS base score

3.3/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO device. This flaw may allow a previously deleted user to authenticate using their FIDO credentials and impersonate the newly created user, resulting in unauthorized access. The vulnerability applies only to deployments that utilize FIDO-based authentication.

Key dates

02Disclosure timeline

September 23, 2025 CVE published
September 25, 2025 Record updated