CVE-2025-9804
Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.
This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
WSO2 · API Manager AnalyticsWSO2 · org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.utilWSO2 · org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connectorWSO2 · org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgtWSO2 · org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflowWSO2 · org.wso2.carbon:org.wso2.carbon.baseWSO2 · org.wso2.carbon:org.wso2.carbon.server.adminWSO2 · WSO2 API Control PlaneWSO2 · WSO2 API ManagerWSO2 · WSO2 Data Analytics ServerWSO2 · WSO2 Enterprise IntegratorWSO2 · WSO2 Enterprise Mobility ManagerWSO2 · WSO2 Enterprise Service Bus AnalyticsWSO2 · WSO2 Identity ServerWSO2 · WSO2 Identity Server AnalyticsWSO2 · WSO2 Identity Server as Key ManagerWSO2 · WSO2 Open Banking AMWSO2 · WSO2 Open Banking IAMWSO2 · WSO2 Open Banking KMWSO2 · WSO2 Traffic ManagerWSO2 · WSO2 Universal GatewayWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →