WSO2 Identity Server - Authentication Bypass (CVE-2025-5605)

CVE-2025-5605 is an authentication bypass vulnerability affecting the Management Console of several WSO2 products, allowing attackers to manipulate request URIs and gain unauthorized access to restricted resources. While the exposure is limited to partial information disclosure, such as memory statistics, this flaw could aid attackers in gathering internal system details for further exploitation or reconnaissance.

CrowdSec has been tracking this vulnerability and its exploits since 26th of November 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2025-5605 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. CrowdSec network telemetry also shows that exploitation of CVE-2025-5605 has significantly declined over the past week. Attack volumes are well below the long-term average, suggesting attackers are rapidly losing interest. The vulnerability appears to be falling out of active use across most threat landscapes.

Attackers exploit authentication bypass by requesting URLs such as /carbon/server-admin/memory_info.jsp;.jar, manipulating the URI to gain unauthorized access to internal memory statistics on WSO2 Management Console endpoints.