loader image
Computer screen showing WSO2 flaws, warning icons, and code symbols highlighting critical security exposure.
WSO2 Flaws Expose Critical Identity Bypass Risks

Security researcher Crnkovic has revealed three critical vulnerabilities in WSO2 API Manager and WSO2 Identity Server, each carrying a CVSS score of 9.8. The flaws—cataloged as CVE-2025-9152, CVE-2025-10611, and CVE-2025-9804—allow attackers to bypass authentication mechanisms. These WSO2 flaws expose critical weaknesses in systems widely used for identity and access management across enterprise environments.

The vulnerabilities affect core components of both platforms and pose serious risks to organizations relying on WSO2 for secure API and identity operations. Crnkovic’s findings raise concerns about the potential for unauthorized access, data breaches, and lateral network movement. These WSO2 flaws expose critical authentication gaps that could be exploited if left unpatched.

Additional CVEs mentioned in the disclosure include CVE-2025-11371, CVE-2025-54253, CVE-2025-2905, and CVE-2025-27915. Security teams are urged to review the findings and apply mitigations as necessary.

Read the full report here:

Researcher Details Critical Authentication Bypasses in WSO2 API Manager and Identity Server

Write a Reply or Comment

Your email address will not be published. Required fields are marked *