CVE-2025-0672 is an authentication bypass vulnerability affecting WSO2 Identity Server when used as a Key Manager, specifically in version 5.10.0. The vulnerability arises in deployments that enable FIDO-based authentication. The core issue is that when a user account is deleted, the system fails to remove the associated FIDO registration data. Consequently, if a new user account is created with the same username as the deleted account, the system may incorrectly associate the new account with the old FIDO device registration. This flaw allows an attacker who previously had access to the deleted user account's FIDO credentials to authenticate as the new user, effectively impersonating them and gaining unauthorized access. The vulnerability is classified under CWE-287 (Improper Authentication). The CVSS v3.1 score is 3.3, indicating a low severity level, with the vector reflecting network attack vector (AV:N), high attack complexity (AC:H), requiring privileged attacker (PR:H), no user interaction (UI:N), unchanged scope (S:U), and low impact on confidentiality and integrity (C:L/I:L) with no impact on availability (A:N). No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is particularly relevant for organizations using WSO2 Identity Server as a Key Manager with FIDO authentication enabled, as it undermines the trust model of FIDO by allowing reuse of authentication credentials tied to deleted accounts.

For European organizations, this vulnerability could lead to unauthorized access to critical identity and access management systems, especially those relying on WSO2 Identity Server for authentication and key management. The impersonation of users via reused FIDO credentials could compromise sensitive data, disrupt business processes, and potentially lead to privilege escalation if the new user account has elevated permissions. Although the CVSS score is low, the impact on confidentiality and integrity could be significant in environments where identity management is central to security. This is particularly concerning for sectors with strict regulatory requirements such as finance, healthcare, and government institutions in Europe, where identity compromise can lead to regulatory penalties and loss of trust. The vulnerability requires privileged attacker access and high attack complexity, which somewhat limits exploitation but does not eliminate risk, especially from insider threats or attackers who have already gained some level of access.

To mitigate this vulnerability, organizations should implement the following specific measures: 1) Immediately audit and verify that user deletion processes also remove all associated FIDO registration data to prevent stale credentials from persisting. 2) Implement additional checks during user account creation to detect and prevent reuse of usernames that have associated FIDO credentials from deleted accounts. 3) Enforce strict account lifecycle management policies, ensuring that identity and authentication artifacts are fully purged upon account deletion. 4) Monitor authentication logs for anomalies such as unexpected FIDO authentications on newly created accounts with reused usernames. 5) Restrict privileged access to user management functions to minimize the risk of improper account deletions or creations. 6) Engage with WSO2 for patches or updates addressing this vulnerability and plan timely deployment once available. 7) Consider implementing multi-factor authentication methods that do not solely rely on FIDO credentials or adding additional verification steps for account re-creation scenarios. These steps go beyond generic advice by focusing on lifecycle management of authentication data and proactive detection of anomalous authentication events.