Zero Day MonitorZDM

← Back to list

0.0

CVE-2025-9973PATCHED

wso2 · wso2 identity server

Authorization Bypass via Adaptive Authentication in WSO2 Identity Server Allows Cross-Organization Account Takeover

Description

A vulnerability identified as problematic has been detected in WSO2 Identity Server and Conditional Authentication User and Roles Related Functions. This affects an unknown part of the component Organization Context Handler. Performing a manipulation results in missing initialization of a variable. Access to the local network is required for this attack.

Affected Products

Vendor	Product	Versions
wso2	wso2 identity server	7.1.0, 1.2.76

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4530/(vendor-advisory)

Related News (1 articles)

Tier C

VulDB47d ago

CVE-2025-9973 | WSO2 Identity Server Organization Context missing initialization

→ No new info (linked only)

CVSS 3.10.0 MEDIUM

VectorCVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

CISA KEV❌ No

Actively exploited❌ No

Patch available

7.1.0.261.2.76.11.2.82

CWECWE-665

PublishedMay 11, 2026

Last enriched47d agov2

Tags

CVE-2025-9973

Trending Score0

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-2053EXP

Unauthenticated Server-Side Request Forgery via WS-Addressing in WSO2 API Manager

HIGHCVE-2025-10908EXP

Account Lock Bypass via Magic Link or Pass Key Authentication in WSO2 Identity Server Allows Unauthorized Access

MEDIUMCVE-2024-0391EXP

Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery

MEDIUMCVE-2025-8325EXP

Improper Access Control via Gateway API in Multiple WSO2 Products Allows Unauthorized Operations

HIGHCVE-2024-2374

XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 11, 2026

Discovered by ZDM

May 11, 2026

Patch Available

May 11, 2026

Updated: description, cvssEstimate, cweIds, tags

May 11, 2026

Version History

v2

Last enriched 47d ago

v2Tier C47d ago

Updated description with new technical details, added CWE-665, and noted that no exploit is available.

descriptioncvssEstimatecweIdstags

via VulDB

v147d ago

Initial creation