WSO2 Identity Server - Authentication Bypass (CVE-2025-5605)

CVE-2025-5605 is an authentication bypass vulnerability affecting the Management Console of several WSO2 products, allowing attackers to manipulate request URIs and gain unauthorized access to restricted resources. While the exposure is limited to partial information disclosure, such as memory statistics, this flaw could aid attackers in gathering internal system details for further exploitation or reconnaissance.

CrowdSec has been tracking this vulnerability and its exploits since 26th of November 2025.

CrowdSec network observations suggest that most exploitation of CVE-2025-5605 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2025-5605 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2025-5605 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit authentication bypass by requesting URLs such as /carbon/server-admin/memory_info.jsp;.jar, manipulating the URI to gain unauthorized access to internal memory statistics on WSO2 Management Console endpoints.