Plattform
java
Komponente
wso2-identity-server
Behoben in
5.2.0.35
5.2.0.35
CVE-2025-12624 affects WSO2 Identity Server versions from 0.0.0 up to and including 5.2.0.35. The vulnerability stems from a failure to invalidate or revoke active access tokens when a user account is locked. This allows previously issued, valid tokens to remain usable, enabling locked user accounts to maintain access to protected resources. The issue is resolved in version 5.2.0.35.
The primary impact of CVE-2025-12624 is the circumvention of access control policies. A locked user account can continue to access protected resources using existing, unexpired access tokens. This bypasses the intended security measure of account locking, potentially leading to unauthorized data access, modification, or deletion. The blast radius is dependent on the permissions associated with the access tokens and the sensitivity of the resources they grant access to. This vulnerability could be exploited to gain persistent access to sensitive data even after an account has been compromised or disabled.
Exploitation context for CVE-2025-12624 is currently unclear. No public exploits are known, and it is not listed on KEV or EPSS. The CVSS score is 6 (MEDIUM), indicating a moderate level of severity. The vulnerability was published on 2026-04-16 by NVD.
Organizations heavily reliant on WSO2 Identity Server for authentication and authorization are at risk. This includes those with legacy configurations or deployments where access tokens have long expiration times. Shared hosting environments utilizing WSO2 Identity Server are also particularly vulnerable, as compromised accounts on one instance could potentially impact other tenants.
• java / server:
# Check for WSO2 Identity Server version
java -version
# Monitor logs for unusual access token activity related to locked accounts
grep -i 'access token' /path/to/wso2/identity-server/logs/*.log• generic web:
# Check for exposed token endpoints
curl -I https://your-wso2-identity-server/tokendisclosure
Exploit-Status
EPSS
0.01% (2% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-12624 is to upgrade WSO2 Identity Server to version 5.2.0.35 or later. As an interim workaround, consider implementing token expiration policies with shorter durations to minimize the window of opportunity for exploitation. Review and strengthen access control policies to limit the potential impact of compromised tokens. Monitor audit logs for any suspicious activity related to locked user accounts and access token usage. After upgrading, verify the fix by locking a user account and attempting to access protected resources using a previously issued access token; the access should be denied.
Actualice WSO2 Identity Server a la versión 5.2.0.35 o superior para mitigar la vulnerabilidad. Esta actualización corrige el problema de invalidación incorrecta del token, asegurando que las cuentas bloqueadas no puedan acceder a los recursos protegidos a través de tokens expirados.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-12624 is a medium severity vulnerability affecting WSO2 Identity Server versions 0.0.0–5.2.0.35 where locked user accounts can maintain access via valid tokens.
You are affected if you are using WSO2 Identity Server versions 0.0.0 through 5.2.0.35 and have not upgraded to 5.2.0.35.
Upgrade WSO2 Identity Server to version 5.2.0.35 or later. As a temporary workaround, invalidate access tokens upon account lock.
There is currently no evidence of active exploitation of CVE-2025-12624.
Refer to the official WSO2 security advisory for CVE-2025-12624 on the WSO2 website.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.