CVE-2025-0663 is a cross-tenant authentication vulnerability identified in WSO2 Open Banking IAM version 2.0.0. The root cause lies in the improper cryptographic design of the Adaptive Authentication feature, where a single cryptographic key is used across all tenants to sign authentication cookies. This design flaw enables a privileged user within one tenant to forge authentication cookies for users in other tenants, effectively bypassing tenant isolation. The vulnerability is exacerbated by the Auto-Login feature, which is enabled by default. This feature automatically logs in users based on authentication cookies, so if an attacker can forge these cookies, they may gain unauthorized access to accounts in other tenants without additional user interaction. Exploitation requires access to Adaptive Authentication functionality, which is typically restricted to high-privileged users, limiting the attack surface. The vulnerability does not require user interaction but does require a privileged user context within a tenant. The CVSS 3.1 score is 6.8 (medium severity), reflecting the attack vector as adjacent network, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. There are no known exploits in the wild, and no patches have been published yet. The vulnerability corresponds to CWE-287 (Improper Authentication).

For European organizations using WSO2 Open Banking IAM 2.0.0, this vulnerability poses a significant risk to multi-tenant environments, particularly in financial institutions and service providers managing multiple client tenants. Unauthorized cross-tenant access could lead to data breaches, financial fraud, and regulatory non-compliance, especially under GDPR and PSD2 frameworks. The compromise of authentication cookies could allow attackers to impersonate users across tenants, potentially leading to account takeover, unauthorized transactions, and exposure of sensitive personal and financial data. The impact extends to loss of trust, legal penalties, and operational disruption. Since exploitation requires high privileges, insider threats or compromised administrative accounts are the primary risk vectors. The default enabled Auto-Login feature increases risk in typical deployments. Organizations with strict tenant isolation requirements and those operating in regulated sectors are particularly vulnerable.

To mitigate this vulnerability, European organizations should immediately review and disable the Auto-Login feature in WSO2 Open Banking IAM deployments where it is not essential, reducing the risk of cookie forgery exploitation. Restrict access to Adaptive Authentication functionality to the minimum necessary set of highly trusted administrators and implement strict role-based access controls (RBAC) and monitoring of privileged user activities. Employ network segmentation and multi-factor authentication (MFA) for administrative access to reduce the risk of privilege escalation. Monitor authentication logs for anomalies indicative of cross-tenant cookie forgery attempts. Organizations should engage with WSO2 for updates and patches addressing this cryptographic design flaw and plan for prompt patch deployment once available. Additionally, consider implementing tenant-specific cryptographic keys for signing authentication cookies as a long-term architectural improvement to prevent cross-tenant attacks. Conduct regular security audits and penetration testing focused on multi-tenant isolation controls.