CRITICALCVE-2025-9312CVSS 9.8

CVE-2025-9312: Missing Authentication in WSO2 API Manager

Platform

java

Component

wso2-api-manager

Fixed in

2.2.0.58

2.5.0.84

2.6.0.145

3.0.0.175

3.1.0.339

3.2.0.439

3.2.1.59

4.0.0.359

4.1.0.222

4.2.0.161

4.3.0.73

4.4.0.37

4.5.0.21

4.5.0.22

4.5.0.20

5.3.0.39

5.5.0.52

5.6.0.74

5.7.0.124

5.9.0.175

5.10.0.358

5.2.0.33

5.3.0.34

5.4.0.33

5.4.1.37

5.5.0.51

5.6.0.59

5.7.0.125

5.8.0.109

5.9.0.168

5.10.0.368

5.11.0.411

6.0.0.243

6.1.0.241

7.0.0.116

7.1.0.23

1.4.0.132

1.5.0.122

1.4.0.138

1.5.0.139

2.0.0.388

2.0.0.408

1.1.1.2

1.1.16.3

1.1.18.4

1.1.20.5

1.1.26.7

1.3.6.8

1.4.0.18

1.4.25.24

1.4.52.4

1.6.1.11

1.7.1.4

1.8.11.6

1.8.41.2

1.9.4.4

1.9.18.2

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2025-9312 describes a missing authentication enforcement vulnerability within the mutual TLS (mTLS) implementation of WSO2 API Manager. This flaw allows attackers to bypass authentication controls, even when mTLS is enabled, potentially granting unauthorized access to System REST APIs and SOAP services. The vulnerability impacts versions 0 through 7.1.0.23 of WSO2 API Manager and has been resolved in version 7.1.0.23.

Impact and Attack Scenarios

The impact of CVE-2025-9312 is severe. An attacker can exploit this vulnerability to gain unauthorized access to sensitive data and functionality exposed through WSO2 API Manager's System REST APIs and SOAP services. This could include accessing API keys, configuration data, and potentially even executing arbitrary code depending on the API's functionality. The lack of authentication enforcement effectively eliminates a key security layer, allowing attackers to bypass standard access controls. This vulnerability is particularly concerning as mTLS is often implemented to provide a strong layer of security, and its circumvention significantly increases the attack surface. Successful exploitation could lead to data breaches, service disruption, and reputational damage.

Exploitation Context

CVE-2025-9312 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's severity and ease of exploitation suggest a medium probability of exploitation. The vulnerability was publicly disclosed on 2025-11-18. Active campaigns targeting WSO2 API Manager are not currently confirmed, but the high CVSS score warrants close monitoring.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.06% (18% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impactpartial

CVSS Vector

Affected Software

Componentwso2-api-manager

VendorWSO2

Affected rangeFixed in

2.2.0 – 2.2.0.582.2.0.58

2.5.0 – 2.5.0.842.5.0.84

2.6.0 – 2.6.0.1452.6.0.145

3.0.0 – 3.0.0.1753.0.0.175

3.1.0 – 3.1.0.3393.1.0.339

3.2.0 – 3.2.0.4393.2.0.439

3.2.1 – 3.2.1.593.2.1.59

4.0.0 – 4.0.0.3594.0.0.359

4.1.0 – 4.1.0.2224.1.0.222

4.2.0 – 4.2.0.1614.2.0.161

4.3.0 – 4.3.0.734.3.0.73

4.4.0 – 4.4.0.374.4.0.37

4.5.0 – 4.5.0.214.5.0.21

4.5.0 – 4.5.0.224.5.0.22

4.5.0 – 4.5.0.204.5.0.20

5.3.0 – 5.3.0.395.3.0.39

5.5.0 – 5.5.0.525.5.0.52

5.6.0 – 5.6.0.745.6.0.74

5.7.0 – 5.7.0.1245.7.0.124

5.9.0 – 5.9.0.1755.9.0.175

5.10.0 – 5.10.0.3585.10.0.358

5.2.0 – 5.2.0.335.2.0.33

5.3.0 – 5.3.0.345.3.0.34

5.4.0 – 5.4.0.335.4.0.33

5.4.1 – 5.4.1.375.4.1.37

5.5.0 – 5.5.0.515.5.0.51

5.6.0 – 5.6.0.595.6.0.59

5.7.0 – 5.7.0.1255.7.0.125

5.8.0 – 5.8.0.1095.8.0.109

5.9.0 – 5.9.0.1685.9.0.168

5.10.0 – 5.10.0.3685.10.0.368

5.11.0 – 5.11.0.4115.11.0.411

6.0.0 – 6.0.0.2436.0.0.243

6.1.0 – 6.1.0.2416.1.0.241

7.0.0 – 7.0.0.1167.0.0.116

7.1.0 – 7.1.0.237.1.0.23

1.4.0 – 1.4.0.1321.4.0.132

1.5.0 – 1.5.0.1221.5.0.122

1.4.0 – 1.4.0.1381.4.0.138

1.5.0 – 1.5.0.1391.5.0.139

2.0.0 – 2.0.0.3882.0.0.388

2.0.0 – 2.0.0.4082.0.0.408

1.1.1 – 1.1.1.21.1.1.2

1.1.16 – 1.1.16.31.1.16.3

1.1.18 – 1.1.18.41.1.18.4

1.1.20 – 1.1.20.51.1.20.5

1.1.26 – 1.1.26.71.1.26.7

1.3.6 – 1.3.6.81.3.6.8

1.4.0 – 1.4.0.181.4.0.18

1.4.25 – 1.4.25.241.4.25.24

1.4.52 – 1.4.52.41.4.52.4

1.6.1 – 1.6.1.111.6.1.11

1.7.1 – 1.7.1.41.7.1.4

1.8.11 – 1.8.11.61.8.11.6

1.8.41 – 1.8.41.21.8.41.2

1.9.4 – 1.9.4.41.9.4.4

1.9.18 – 1.9.18.21.9.18.2

Weakness Classification (CWE)

CWE-306

Timeline

Reserved2025-08-21
Published2025-11-18
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2025-9312 is to upgrade WSO2 API Manager to version 7.1.0.23 or later, which contains the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Review and tighten access controls on System REST APIs and SOAP services, restricting access to only authorized users and systems. Implement stricter input validation and sanitization to minimize the potential impact of any successful attacks. Monitor API logs for suspicious activity, particularly requests originating from unexpected sources or lacking proper authentication headers. Consider deploying a Web Application Firewall (WAF) to filter malicious requests and enforce authentication policies. After upgrade, confirm by verifying that mTLS authentication is properly enforced by attempting to access protected APIs without a valid client certificate.

How to fix

Update to the latest version of WSO2 API Manager that includes the fix for mTLS certificate validation. Refer to the WSO2 security advisory for specific instructions on how to apply the patch or update your instance. Disable or properly configure the affected mTLS flows until you can apply the update.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-9312 — Missing Authentication in WSO2 API Manager?

CVE-2025-9312 is a CRITICAL vulnerability in WSO2 API Manager where improper mTLS validation allows unauthenticated requests, bypassing authentication even when mTLS is enabled.

Am I affected by CVE-2025-9312 in WSO2 API Manager?

Yes, if you are using WSO2 API Manager versions 0 through 7.1.0.23 and have not implemented additional authentication measures beyond mTLS, you are potentially affected.

How do I fix CVE-2025-9312 in WSO2 API Manager?

Upgrade WSO2 API Manager to version 7.1.0.23 or later. As a temporary workaround, tighten access controls and monitor API logs.

Is CVE-2025-9312 being actively exploited?

Active exploitation is not currently confirmed, but the high CVSS score and ease of exploitation suggest a potential risk.

Where can I find the official WSO2 advisory for CVE-2025-9312?

Refer to the official WSO2 security advisory for detailed information and updates: [https://wso2.com/security-advisories/](https://wso2.com/security-advisories/)

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Java / Maven

Detect this CVE in your project

Upload your pom.xml file and we'll tell you instantly if you're affected.

Supported formats: pom.xml · build.gradle

Scan free

Search CVEs

Upload pom.xml

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.