CVE-2025-10611
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-10-16
Last updated on: 2025-11-21
Assigner: WSO2 LLC
Description
Description
Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation.
Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wso2 | api_control_plane | 4.5.0 |
| wso2 | api_manager | 2.1.0 |
| wso2 | api_manager | 2.2.0 |
| wso2 | api_manager | 2.5.0 |
| wso2 | api_manager | 2.6.0 |
| wso2 | api_manager | 3.0.0 |
| wso2 | api_manager | 3.1.0 |
| wso2 | api_manager | 3.2.0 |
| wso2 | api_manager | 3.2.1 |
| wso2 | api_manager | 4.0.0 |
| wso2 | api_manager | 4.1.0 |
| wso2 | api_manager | 4.2.0 |
| wso2 | api_manager | 4.3.0 |
| wso2 | api_manager | 4.4.0 |
| wso2 | api_manager | 4.5.0 |
| wso2 | identity_server | 5.3.0 |
| wso2 | identity_server | 5.5.0 |
| wso2 | identity_server | 5.6.0 |
| wso2 | identity_server | 5.7.0 |
| wso2 | identity_server | 5.8.0 |
| wso2 | identity_server | 5.9.0 |
| wso2 | identity_server | 5.10.0 |
| wso2 | identity_server | 5.11.0 |
| wso2 | identity_server | 6.0.0 |
| wso2 | identity_server | 6.1.0 |
| wso2 | identity_server | 7.0.0 |
| wso2 | identity_server | 7.1.0 |
| wso2 | identity_server_as_key_manager | 5.3.0 |
| wso2 | identity_server_as_key_manager | 5.5.0 |
| wso2 | identity_server_as_key_manager | 5.6.0 |
| wso2 | identity_server_as_key_manager | 5.7.0 |
| wso2 | identity_server_as_key_manager | 5.9.0 |
| wso2 | identity_server_as_key_manager | 5.10.0 |
| wso2 | open_banking_am | 1.4.0 |
| wso2 | open_banking_am | 1.5.0 |
| wso2 | open_banking_am | 2.0.0 |
| wso2 | open_banking_iam | 2.0.0 |
| wso2 | open_banking_km | 1.4.0 |
| wso2 | open_banking_km | 1.5.0 |
| wso2 | traffic_manager | 4.5.0 |
| wso2 | universal_gateway | 4.5.0 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is caused by insufficient access control in multiple WSO2 Products, allowing certain REST APIs to be accessed without proper authentication and authorization checks. This means that attackers can bypass security controls and invoke these APIs without validation.
How can this vulnerability impact me? :
Exploiting this vulnerability could allow a malicious actor to gain administrative access and perform unauthorized administrative operations without authentication, potentially compromising the entire system's confidentiality, integrity, and availability.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70