Description

An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO device. This flaw may allow a previously deleted user to authenticate using their FIDO credentials and impersonate the newly created user, resulting in unauthorized access. The vulnerability applies only to deployments that utilize FIDO-based authentication.

INFO

Published Date :

2025-09-23T17:30:42.687Z

Last Modified :

2025-09-25T16:01:00.676Z

Source :

WSO2
AFFECTED PRODUCTS

The following products are affected by CVE-2025-0672 vulnerability.

Vendors Products
Wso2
  • Identity Server
  • Identity Server As Key Manager
  • Open Banking Iam
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-0672.

URL Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3134/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact