CVE-2025-1396 is a username enumeration vulnerability affecting multiple versions of the WSO2 Identity Server (versions 5.10.0, 5.11.0, 6.0.0, and 6.1.0) when the Multi-Attribute Login feature is enabled. The vulnerability arises because the system returns a distinct error message, specifically "User does not exist," during login attempts when an invalid username is submitted. This behavior occurs regardless of the validate_username setting, which ideally should prevent such information leakage. The vulnerability is classified under CWE-203 (Observable Discrepancy), indicating that the application reveals information through differing responses that can be observed by an attacker. By exploiting this discrepancy, an attacker can confirm the existence or non-existence of specific usernames in the system. This information can be leveraged to facilitate brute-force attacks by focusing on valid usernames, improve the success rate of targeted phishing or social engineering campaigns by confirming user identifiers, or assist in reconnaissance activities for further exploitation. The CVSS v3.1 score assigned is 3.7 (low severity), reflecting that the vulnerability impacts confidentiality to a limited extent, does not affect integrity or availability, requires no privileges or user interaction, but has a high attack complexity. No known exploits are currently reported in the wild, and no patches are linked at the time of publication. This vulnerability is technical in nature and specifically targets the authentication mechanism of WSO2 Identity Server, a widely used identity and access management platform in enterprise environments.

For European organizations using WSO2 Identity Server with Multi-Attribute Login enabled, this vulnerability poses a risk primarily to user confidentiality. Attackers can enumerate valid usernames, which can significantly aid in crafting more effective brute-force attacks or social engineering campaigns such as spear phishing. This can lead to unauthorized access if combined with weak password policies or reused credentials. While the vulnerability does not directly compromise system integrity or availability, the information leakage can be a stepping stone for more severe attacks. Organizations in sectors with high regulatory requirements for data protection, such as finance, healthcare, and government, may face increased risk of targeted attacks exploiting this vulnerability. Additionally, the exposure of valid usernames could violate privacy regulations like GDPR if it leads to unauthorized access or data breaches. The low CVSS score indicates limited direct impact, but the indirect consequences through chained attacks could be significant, especially in environments with sensitive data or critical infrastructure.

To mitigate this vulnerability, European organizations should first verify if Multi-Attribute Login is enabled on their WSO2 Identity Server deployments and assess if affected versions (5.10.0, 5.11.0, 6.0.0, 6.1.0) are in use. If so, organizations should consider disabling Multi-Attribute Login temporarily until a patch or update is available that addresses the issue. Alternatively, configuring the system to return generic error messages that do not reveal whether a username exists can prevent information leakage. Implementing account lockout or throttling mechanisms after multiple failed login attempts can reduce the risk of brute-force attacks. Monitoring authentication logs for unusual login attempts or enumeration patterns is also recommended. Organizations should enforce strong password policies and encourage multi-factor authentication (MFA) to reduce the impact of username enumeration. Finally, staying updated with WSO2 security advisories and applying patches promptly once released is critical. Network-level protections such as Web Application Firewalls (WAFs) can be tuned to detect and block enumeration attempts based on request patterns.