CVE-2025-9804
MEDIUM EPSS 39.6%
Published Oct 16, 20258mo ago · Modified Jun 17, 20261w ago
6.5 CVSS 3.1
Published Oct 16, 2025 8mo ago
Last Modified Jun 17, 2026 1w ago
Description
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None
Threat Intelligence
EPSS Exploit Probability
39.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-284
Affected Products 59
| Vendor | Product | Version | Range |
|---|---|---|---|
| wso2 | api_control_plane | 4.5.0 | any |
| wso2 | api_manager | 2.0.0 | any |
| wso2 | api_manager | 2.1.0 | any |
| wso2 | api_manager | 2.2.0 | any |
| wso2 | api_manager | 2.5.0 | any |
| wso2 | api_manager | 2.6.0 | any |
| wso2 | api_manager | 3.0.0 | any |
| wso2 | api_manager | 3.1.0 | any |
| wso2 | api_manager | 3.2.0 | any |
| wso2 | api_manager | 3.2.1 | any |
| wso2 | api_manager | 4.0.0 | any |
| wso2 | api_manager | 4.1.0 | any |
| wso2 | api_manager | 4.2.0 | any |
| wso2 | api_manager | 4.3.0 | any |
| wso2 | api_manager | 4.4.0 | any |
| wso2 | api_manager | 4.5.0 | any |
| wso2 | api_manager_analytics | 2.0.0 | any |
| wso2 | api_manager_analytics | 2.1.0 | any |
| wso2 | api_manager_analytics | 2.2.0 | any |
| wso2 | api_manager_analytics | 2.5.0 | any |
| wso2 | data_analytics_server | 3.1.0 | any |
| wso2 | data_analytics_server | 3.2.0 | any |
| wso2 | enterprise_integrator | 6.2.0 | any |
| wso2 | enterprise_integrator | 6.3.0 | any |
| wso2 | enterprise_mobility_manager | 2.2.0 | any |
| wso2 | enterprise_service_bus | 5.0.0 | any |
| wso2 | identity_server | 5.2.0 | any |
| wso2 | identity_server | 5.3.0 | any |
| wso2 | identity_server | 5.4.0 | any |
| wso2 | identity_server | 5.4.1 | any |
| wso2 | identity_server | 5.5.0 | any |
| wso2 | identity_server | 5.6.0 | any |
| wso2 | identity_server | 5.7.0 | any |
| wso2 | identity_server | 5.8.0 | any |
| wso2 | identity_server | 5.9.0 | any |
| wso2 | identity_server | 5.10.0 | any |
| wso2 | identity_server | 5.11.0 | any |
| wso2 | identity_server | 6.0.0 | any |
| wso2 | identity_server | 6.1.0 | any |
| wso2 | identity_server | 7.0.0 | any |
| wso2 | identity_server | 7.1.0 | any |
| wso2 | identity_server_analytics | 5.2.0 | any |
| wso2 | identity_server_analytics | 5.3.0 | any |
| wso2 | identity_server_analytics | 5.5.0 | any |
| wso2 | identity_server_analytics | 5.6.0 | any |
| wso2 | identity_server_as_key_manager | 5.3.0 | any |
| wso2 | identity_server_as_key_manager | 5.5.0 | any |
| wso2 | identity_server_as_key_manager | 5.6.0 | any |
| wso2 | identity_server_as_key_manager | 5.7.0 | any |
| wso2 | identity_server_as_key_manager | 5.9.0 | any |
| wso2 | identity_server_as_key_manager | 5.10.0 | any |
| wso2 | open_banking_am | 1.4.0 | any |
| wso2 | open_banking_am | 1.5.0 | any |
| wso2 | open_banking_am | 2.0.0 | any |
| wso2 | open_banking_iam | 2.0.0 | any |
| wso2 | open_banking_km | 1.4.0 | any |
| wso2 | open_banking_km | 1.5.0 | any |
| wso2 | traffic_manager | 4.5.0 | any |
| wso2 | universal_gateway | 4.5.0 | any |
References 1
- security.docs.wso2.com https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.