External risk intelligence

WSO2 Identity Server allows attackers to access other companies' data by misusing authentication rules.

CVE advisorySeverity: HIGH (CVSS 7.2)

CVE-2025-9973

An external attacker could exploit WSO2 Identity Server to gain unauthorized access to other organizations' accounts by manipulating authentication logic. This matters because it could lead to account takeover and access to sensitive information.

2Halo Surface Signal

Privilege Escalation

Wso2 Identity Server

7.1.0 to before 7.1.0.26

External exposure likelihood

Halo Surface Signal score for CVE-2025-9973

The vulnerability requires the attacker to already possess specific configuration privileges within one organization to manipulate adaptive authentication logic. Because it necessitates existing administrative or configuration access rather than being an unauthenticated, public-facing service exploit, internet-wide reachability is not a standard characteristic of this attack vector.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in WSO2 Identity Server allows an attacker with configuration privileges in one organization to bypass security controls and execute authentication logic in other organizations. This can lead to unauthorized access to sensitive data and user accounts, impacting your overall security posture.

  • Bypasses authorization boundaries between organizations.
  • Enables unauthorized access to critical operations.
  • Can result in privilege escalation.

Attack Path

How an attacker could exploit the issue

An attacker with privileges to configure adaptive authentication in one organization within WSO2 Identity Server can exploit this flaw to execute authentication logic in other organizations. This allows them to bypass organizational boundaries and potentially gain unauthorized access to critical operations, user accounts, and sensitive data across different tenants.

  • Requires configuration privileges.
  • Targets adaptive authentication flows.
  • Bypasses organization boundaries.

Live Threat

Current exploitation, exposure, and threat context

Attackers may target this vulnerability to bypass authorization boundaries between organizations, potentially leading to unauthorized access and account takeovers. The need for existing configuration privileges makes it less appealing for widespread, opportunistic attacks but still valuable for targeted intrusions. Evidence for this threat is currently limited, suggesting a cautious approach to immediate exploitation.

  • Requires authenticated, privileged access.
  • No public exploit availability observed.
  • Recent advisory published.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating or taking offline WSO2 Identity Server instances affected by CVE-2025-9973, especially if they are multi-organization deployments. This vulnerability allows unauthorized execution of authentication logic across organizational boundaries, potentially leading to privilege escalation and account takeover. Confirm that all configurations and adaptive authentication policies are reviewed and secured to prevent lateral movement.

  • Apply WSO2 Identity Server version 7.1.0.26 or later.
  • Monitor for anomalous authentication attempts.
  • Restrict administrative access to adaptive authentication configurations.

Frequently asked questions

What is WSO2 Identity Server and its function?

WSO2 Identity Server is a platform for managing digital identities and access, securing applications and services by handling authentication, authorization, and single sign-on, particularly in complex, multi-organization environments.

How does CVE-2025-9973 misuse authentication rules?

CVE-2025-9973, classified as CWE-284 and CWE-863, exploits a failure to validate organization context during adaptive authentication, enabling configuration logic intended for one organization to run in others.

What is the trigger path for CVE-2025-9973?

An attacker with privileges to configure adaptive authentication in one organization can trigger unintended authentication logic execution in other organizations and sub-organizations.

What is the relevance of CVE-2025-9973?

This vulnerability allows bypassing authorization boundaries between organizations, potentially leading to privilege escalation, unauthorized access to critical operations, and account takeover. The Halo Surface Signal indicates this is unlikely to be widely exploited due to the requirement for existing configuration privileges.

What are the practical steps to address CVE-2025-9973?

Organizations should apply WSO2 Identity Server version 7.1.0.26 or later, monitor for anomalous authentication attempts, and restrict administrative access to adaptive authentication configurations to mitigate this risk.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified