CVE-2025-1396 is a username enumeration vulnerability found in multiple versions of the WSO2 Identity Server (versions 5.10.0, 5.11.0, 6.0.0, and 6.1.0) when the Multi-Attribute Login feature is enabled. This vulnerability arises because the system returns a distinct error message, specifically "User does not exist," during login attempts when an invalid username is entered. This behavior occurs regardless of the validate_username setting, which ideally should prevent such information leakage. By observing these distinct error messages, an attacker can determine which usernames are valid within the system. This type of information disclosure is critical in the reconnaissance phase of an attack, as it allows malicious actors to confirm valid user identifiers. With this knowledge, attackers can more effectively launch brute-force attacks against known usernames, craft targeted phishing campaigns, or employ other social engineering techniques to compromise user accounts or gain unauthorized access. The vulnerability has a CVSS v3.1 base score of 3.7, indicating a low severity level, primarily because it does not directly impact system integrity or availability and requires no privileges or user interaction. There are no known exploits in the wild at the time of publication, and no patches or mitigation links have been provided yet. The vulnerability is specific to the WSO2 Identity Server, a widely used open-source identity and access management solution, often deployed in enterprise environments for authentication and authorization services.

For European organizations, the impact of this vulnerability can be significant in environments where WSO2 Identity Server is used to manage user authentication. The ability to enumerate valid usernames can facilitate targeted attacks such as credential stuffing, brute-force password attacks, and spear-phishing campaigns. These attacks can lead to unauthorized access to sensitive systems, data breaches, and potential disruption of business operations. Given that identity servers are critical components in access management, any compromise can cascade to multiple connected applications and services. Although the vulnerability itself does not allow direct system compromise, it lowers the barrier for attackers to identify valid accounts, increasing the risk of subsequent attacks. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, may face regulatory and reputational consequences if user accounts are compromised due to this vulnerability.

To mitigate this vulnerability, European organizations should first verify if Multi-Attribute Login is enabled on their WSO2 Identity Server deployments. If enabled, consider disabling this feature temporarily until a patch or official fix is released by WSO2. Additionally, organizations should implement uniform error messages for login failures to prevent username enumeration, ensuring that responses do not reveal whether a username exists. Employing account lockout policies or rate limiting on login attempts can reduce the effectiveness of brute-force attacks. Monitoring authentication logs for unusual login attempts or patterns indicative of enumeration or brute-force activity is also recommended. Organizations should stay updated with WSO2 security advisories and apply patches promptly once available. Furthermore, enhancing multi-factor authentication (MFA) across all user accounts can significantly reduce the risk of account compromise even if usernames are enumerated.