CVE-2025-1396 Overview
CVE-2025-1396 is a username enumeration vulnerability affecting multiple WSO2 products when Multi-Attribute Login is enabled. The system returns a distinct User does not exist error message on the login form regardless of the validate_username setting. This response discrepancy lets attackers determine which usernames exist in the target system.
The flaw impacts WSO2 Identity Server, WSO2 Identity Server as Key Manager, and WSO2 Open Banking IAM. Confirmed usernames aid brute-force attacks, targeted phishing, and social engineering campaigns against valid identities.
Critical Impact
Attackers can enumerate valid usernames in WSO2 identity products through observable login response differences, enabling downstream credential attacks and phishing.
Affected Products
- WSO2 Identity Server versions 5.10.0, 5.11.0, 6.0.0, 6.1.0
- WSO2 Identity Server as Key Manager 5.10.0
- WSO2 Open Banking IAM 2.0.0
Discovery Timeline
- 2025-09-26 - CVE-2025-1396 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-1396
Vulnerability Analysis
The vulnerability falls under [CWE-203]: Observable Discrepancy. When Multi-Attribute Login is enabled, the WSO2 authentication endpoint responds differently based on whether the supplied identifier maps to an existing user account. A specific User does not exist message is returned for non-existent accounts, while invalid credentials for valid accounts produce a different response.
Multi-Attribute Login lets users authenticate using multiple identifiers such as username, email address, or mobile number. The validate_username configuration was designed to suppress user existence disclosure. In vulnerable versions, this setting is ignored when Multi-Attribute Login is active. Attackers exploit this by iterating candidate identifiers against the login form and classifying responses.
Root Cause
The root cause is inconsistent error handling in the Multi-Attribute Login flow. The authentication logic bypasses the validate_username guard that normally unifies error responses. This design flaw leaks user existence state through the response channel even when administrators explicitly configured the system to prevent enumeration.
Attack Vector
Exploitation requires no authentication and no user interaction. An attacker sends HTTP login requests containing candidate usernames, emails, or phone numbers to the WSO2 login endpoint. By comparing response bodies, status codes, or timing characteristics, the attacker builds a list of valid identifiers. This list then feeds credential stuffing, password spraying, or targeted phishing operations.
The vulnerability manifests in the authentication response handler for Multi-Attribute Login configurations. Refer to the WSO2 Security Advisory WSO2-2025-3983 for technical remediation details.
Detection Methods for CVE-2025-1396
Indicators of Compromise
- High-volume login requests from a single source containing varying usernames or email addresses against WSO2 endpoints
- Repeated authentication failures returning User does not exist responses in WSO2 audit logs
- Sequential enumeration patterns targeting /authenticationendpoint/login.do or related login URIs
- Unusual spikes in failed authentication events during off-hours
Detection Strategies
- Parse WSO2 authentication logs for the User does not exist error string and correlate with source IP frequency
- Deploy WAF or reverse proxy rules that flag rapid enumeration attempts against identity endpoints
- Alert on response body differentials returned to the same client within short time windows
- Baseline normal login failure rates and trigger alerts on statistical deviations
Monitoring Recommendations
- Forward WSO2 Identity Server audit and carbon logs to a centralized SIEM for behavioral analytics
- Track authentication failure ratios per source IP and per targeted identifier
- Correlate enumeration attempts with subsequent successful logins to identify follow-on credential attacks
- Monitor for downstream phishing campaigns referencing confirmed usernames or email addresses
How to Mitigate CVE-2025-1396
Immediate Actions Required
- Apply the vendor updates referenced in WSO2 Security Advisory WSO2-2025-3983 to all affected WSO2 deployments
- Inventory WSO2 Identity Server, Identity Server as Key Manager, and Open Banking IAM instances and confirm Multi-Attribute Login configuration status
- Rate-limit authentication endpoints to slow enumeration attempts
- Review historical logs for prior enumeration activity and rotate credentials for accounts exposed through phishing
Patch Information
WSO2 has issued remediation guidance in security advisory WSO2-2025-3983. Administrators must apply the vendor-supplied WUM updates or version upgrades for affected products. Consult the WSO2 Security Advisory WSO2-2025-3983 for exact patch identifiers and installation procedures.
Workarounds
- Disable Multi-Attribute Login if the feature is not required for business operations
- Place identity endpoints behind a WAF configured to normalize authentication error responses
- Enforce CAPTCHA challenges after a small number of failed login attempts to disrupt automated enumeration
- Deploy account lockout policies keyed on source IP as well as target identifier to limit enumeration throughput
# Configuration example - reduce login attempt threshold in WSO2 deployment.toml
[account.lock_handler]
enabled = true
login.fail.timeout.ratio = 2
login.max.attempts = 5
account.unlock.time = 300
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

