Skip to main content
CVE Vulnerability Database

CVE-2025-1396: WSO2 Identity Server Information Disclosure

CVE-2025-1396 is an information disclosure vulnerability in WSO2 Identity Server that enables username enumeration attacks. This article covers the technical details, affected versions, security impact, and mitigation strategies.

Published:

CVE-2025-1396 Overview

CVE-2025-1396 is a username enumeration vulnerability affecting multiple WSO2 products when Multi-Attribute Login is enabled. The system returns a distinct User does not exist error message on the login form regardless of the validate_username setting. This response discrepancy lets attackers determine which usernames exist in the target system.

The flaw impacts WSO2 Identity Server, WSO2 Identity Server as Key Manager, and WSO2 Open Banking IAM. Confirmed usernames aid brute-force attacks, targeted phishing, and social engineering campaigns against valid identities.

Critical Impact

Attackers can enumerate valid usernames in WSO2 identity products through observable login response differences, enabling downstream credential attacks and phishing.

Affected Products

  • WSO2 Identity Server versions 5.10.0, 5.11.0, 6.0.0, 6.1.0
  • WSO2 Identity Server as Key Manager 5.10.0
  • WSO2 Open Banking IAM 2.0.0

Discovery Timeline

  • 2025-09-26 - CVE-2025-1396 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-1396

Vulnerability Analysis

The vulnerability falls under [CWE-203]: Observable Discrepancy. When Multi-Attribute Login is enabled, the WSO2 authentication endpoint responds differently based on whether the supplied identifier maps to an existing user account. A specific User does not exist message is returned for non-existent accounts, while invalid credentials for valid accounts produce a different response.

Multi-Attribute Login lets users authenticate using multiple identifiers such as username, email address, or mobile number. The validate_username configuration was designed to suppress user existence disclosure. In vulnerable versions, this setting is ignored when Multi-Attribute Login is active. Attackers exploit this by iterating candidate identifiers against the login form and classifying responses.

Root Cause

The root cause is inconsistent error handling in the Multi-Attribute Login flow. The authentication logic bypasses the validate_username guard that normally unifies error responses. This design flaw leaks user existence state through the response channel even when administrators explicitly configured the system to prevent enumeration.

Attack Vector

Exploitation requires no authentication and no user interaction. An attacker sends HTTP login requests containing candidate usernames, emails, or phone numbers to the WSO2 login endpoint. By comparing response bodies, status codes, or timing characteristics, the attacker builds a list of valid identifiers. This list then feeds credential stuffing, password spraying, or targeted phishing operations.

The vulnerability manifests in the authentication response handler for Multi-Attribute Login configurations. Refer to the WSO2 Security Advisory WSO2-2025-3983 for technical remediation details.

Detection Methods for CVE-2025-1396

Indicators of Compromise

  • High-volume login requests from a single source containing varying usernames or email addresses against WSO2 endpoints
  • Repeated authentication failures returning User does not exist responses in WSO2 audit logs
  • Sequential enumeration patterns targeting /authenticationendpoint/login.do or related login URIs
  • Unusual spikes in failed authentication events during off-hours

Detection Strategies

  • Parse WSO2 authentication logs for the User does not exist error string and correlate with source IP frequency
  • Deploy WAF or reverse proxy rules that flag rapid enumeration attempts against identity endpoints
  • Alert on response body differentials returned to the same client within short time windows
  • Baseline normal login failure rates and trigger alerts on statistical deviations

Monitoring Recommendations

  • Forward WSO2 Identity Server audit and carbon logs to a centralized SIEM for behavioral analytics
  • Track authentication failure ratios per source IP and per targeted identifier
  • Correlate enumeration attempts with subsequent successful logins to identify follow-on credential attacks
  • Monitor for downstream phishing campaigns referencing confirmed usernames or email addresses

How to Mitigate CVE-2025-1396

Immediate Actions Required

  • Apply the vendor updates referenced in WSO2 Security Advisory WSO2-2025-3983 to all affected WSO2 deployments
  • Inventory WSO2 Identity Server, Identity Server as Key Manager, and Open Banking IAM instances and confirm Multi-Attribute Login configuration status
  • Rate-limit authentication endpoints to slow enumeration attempts
  • Review historical logs for prior enumeration activity and rotate credentials for accounts exposed through phishing

Patch Information

WSO2 has issued remediation guidance in security advisory WSO2-2025-3983. Administrators must apply the vendor-supplied WUM updates or version upgrades for affected products. Consult the WSO2 Security Advisory WSO2-2025-3983 for exact patch identifiers and installation procedures.

Workarounds

  • Disable Multi-Attribute Login if the feature is not required for business operations
  • Place identity endpoints behind a WAF configured to normalize authentication error responses
  • Enforce CAPTCHA challenges after a small number of failed login attempts to disrupt automated enumeration
  • Deploy account lockout policies keyed on source IP as well as target identifier to limit enumeration throughput
bash
# Configuration example - reduce login attempt threshold in WSO2 deployment.toml
[account.lock_handler]
enabled = true
login.fail.timeout.ratio = 2
login.max.attempts = 5
account.unlock.time = 300

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.