What is CVE-2025-9312?

CVE-2025-9312 is a critical-severity vulnerability in Wso2 Org.wso2.carbon.identity.auth.service, classified under Missing Authentication for Critical Function. CVSS score: 9.8/10. Published 2025-11-18.

How severe is CVE-2025-9312?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Auth bypass in Wso2 Org.wso2.carbon.identity.auth.service

CVE-2025-9312

A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication i…

Vulnerability class: Broken Authentication

EPSS: 0.000 (14.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Wso2 Org.wso2.carbon.identity.auth.service — versions 1.1.1, 1.1.16, 1.1.18
Wso2 Api Control Plane — versions 4.5.0
Wso2 Api Manager — versions 0, 2.2.0, 2.5.0
Wso2 Identity Server — versions 0, 5.2.0, 5.3.0
Wso2 Identity Server As Key Manager — versions 0, 5.3.0, 5.5.0
Wso2 Open Banking Am — versions 0, 1.4.0, 1.5.0
Wso2 Open Banking Iam — versions 2.0.0
Wso2 Open Banking Km — versions 0, 1.4.0, 1.5.0
Wso2 Traffic Manager — versions 4.5.0
Wso2 Universal Gateway — versions 4.5.0

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

security.docs.wso2.com/en/latest/security-announcements/security-advisories/202… (vendor-advisory)

Frequently asked questions

What is CVE-2025-9312?: CVE-2025-9312 is a critical-severity vulnerability in Wso2 Org.wso2.carbon.identity.auth.service, classified under Missing Authentication for Critical Function. CVSS score: 9.8/10. Published 2025-11-18.
How severe is CVE-2025-9312?: Critical severity. CVSS v3 base score is 9.8 out of 10.