CVE-2025-9312

Name of the Vulnerable Software and Affected Versions WSO2 products (affected versions not specified)

Description A missing authentication enforcement issue exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services. Improper validation of client certificate–based authentication in certain default configurations may permit unauthenticated requests when mTLS is enabled. This occurs when relying on default mTLS settings for System REST APIs or when the mTLS authenticator is enabled for SOAP services. Successful exploitation allows a malicious actor with network access to the affected endpoints to gain administrative privileges and perform unauthorized operations. The issue is exploitable only when impacted mTLS flows are enabled and accessible. Other certificate-based authentication mechanisms, such as Mutual TLS OAuth client authentication and X.509 login flows, are not affected, and APIs served through the WSO2 API Gateway remain unaffected. The API endpoints are System REST APIs and SOAP services.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.