平台
java
组件
wso2-api-manager
修复版本
2.2.0.58
2.5.0.84
2.6.0.145
3.0.0.175
3.1.0.339
3.2.0.439
3.2.1.59
4.0.0.359
4.1.0.222
4.2.0.161
4.3.0.73
4.4.0.37
4.5.0.21
4.5.0.22
4.5.0.20
4.5.0.20
5.3.0.39
5.5.0.52
5.6.0.74
5.7.0.124
5.9.0.175
5.10.0.358
5.2.0.33
5.3.0.34
5.4.0.33
5.4.1.37
5.5.0.51
5.6.0.59
5.7.0.125
5.8.0.109
5.9.0.168
5.10.0.368
5.11.0.411
6.0.0.243
6.1.0.241
7.0.0.116
7.1.0.23
1.4.0.132
1.5.0.122
1.4.0.138
1.5.0.139
2.0.0.388
2.0.0.408
1.1.1.2
1.1.16.3
1.1.18.4
1.1.20.5
1.1.26.7
1.3.6.8
1.4.0.18
1.4.25.24
1.4.52.4
1.6.1.11
1.7.1.4
1.8.11.6
1.8.41.2
1.9.4.4
1.9.18.2
CVE-2025-9312 describes a missing authentication enforcement vulnerability within the mutual TLS (mTLS) implementation of WSO2 API Manager. This flaw allows attackers to bypass authentication controls, even when mTLS is enabled, potentially granting unauthorized access to System REST APIs and SOAP services. The vulnerability impacts versions 0 through 7.1.0.23 of WSO2 API Manager and has been resolved in version 7.1.0.23.
The impact of CVE-2025-9312 is severe. An attacker can exploit this vulnerability to gain unauthorized access to sensitive data and functionality exposed through WSO2 API Manager's System REST APIs and SOAP services. This could include accessing API keys, configuration data, and potentially even executing arbitrary code depending on the API's functionality. The lack of authentication enforcement effectively eliminates a key security layer, allowing attackers to bypass standard access controls. This vulnerability is particularly concerning as mTLS is often implemented to provide a strong layer of security, and its circumvention significantly increases the attack surface. Successful exploitation could lead to data breaches, service disruption, and reputational damage.
CVE-2025-9312 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's severity and ease of exploitation suggest a medium probability of exploitation. The vulnerability was publicly disclosed on 2025-11-18. Active campaigns targeting WSO2 API Manager are not currently confirmed, but the high CVSS score warrants close monitoring.
Organizations heavily reliant on WSO2 API Manager for managing and securing their APIs are at significant risk. Specifically, deployments using default mTLS configurations without additional authentication layers are particularly vulnerable. Shared hosting environments where multiple tenants share the same WSO2 API Manager instance also face increased risk, as a compromise of one tenant could potentially lead to the compromise of others.
• java / server:
ps -ef | grep -i wso2• java / server:
journalctl -u wso2-api-manager -f | grep -i "mTLS"• generic web:
curl -I https://<wso2_api_manager_url>/system/rest/api/version # Check for 200 OK without authenticationdisclosure
漏洞利用状态
EPSS
0.06% (18% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-9312 is to upgrade WSO2 API Manager to version 7.1.0.23 or later, which contains the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Review and tighten access controls on System REST APIs and SOAP services, restricting access to only authorized users and systems. Implement stricter input validation and sanitization to minimize the potential impact of any successful attacks. Monitor API logs for suspicious activity, particularly requests originating from unexpected sources or lacking proper authentication headers. Consider deploying a Web Application Firewall (WAF) to filter malicious requests and enforce authentication policies. After upgrade, confirm by verifying that mTLS authentication is properly enforced by attempting to access protected APIs without a valid client certificate.
Actualice a la última versión de WSO2 API Manager que incluya la corrección para la validación de certificados mTLS. Consulte el anuncio de seguridad de WSO2 para obtener instrucciones específicas sobre cómo aplicar el parche o actualizar su instancia. Deshabilite o configure correctamente los flujos mTLS afectados hasta que pueda aplicar la actualización.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-9312 is a CRITICAL vulnerability in WSO2 API Manager where improper mTLS validation allows unauthenticated requests, bypassing authentication even when mTLS is enabled.
Yes, if you are using WSO2 API Manager versions 0 through 7.1.0.23 and have not implemented additional authentication measures beyond mTLS, you are potentially affected.
Upgrade WSO2 API Manager to version 7.1.0.23 or later. As a temporary workaround, tighten access controls and monitor API logs.
Active exploitation is not currently confirmed, but the high CVSS score and ease of exploitation suggest a potential risk.
Refer to the official WSO2 security advisory for detailed information and updates: [https://wso2.com/security-advisories/](https://wso2.com/security-advisories/)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 pom.xml 文件,立即知道是否受影响。