CVE-2025-9804
BaseFortify
Publication date: 2025-10-16
Last updated on: 2025-11-21
Assigner: WSO2 LLC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wso2 | api_control_plane | 4.5.0 |
| wso2 | api_manager | 2.0.0 |
| wso2 | api_manager | 2.1.0 |
| wso2 | api_manager | 2.2.0 |
| wso2 | api_manager | 2.5.0 |
| wso2 | api_manager | 2.6.0 |
| wso2 | api_manager | 3.0.0 |
| wso2 | api_manager | 3.1.0 |
| wso2 | api_manager | 3.2.0 |
| wso2 | api_manager | 3.2.1 |
| wso2 | api_manager | 4.0.0 |
| wso2 | api_manager | 4.1.0 |
| wso2 | api_manager | 4.2.0 |
| wso2 | api_manager | 4.3.0 |
| wso2 | api_manager | 4.4.0 |
| wso2 | api_manager | 4.5.0 |
| wso2 | api_manager_analytics | 2.0.0 |
| wso2 | api_manager_analytics | 2.1.0 |
| wso2 | api_manager_analytics | 2.2.0 |
| wso2 | api_manager_analytics | 2.5.0 |
| wso2 | data_analytics_server | 3.1.0 |
| wso2 | data_analytics_server | 3.2.0 |
| wso2 | enterprise_integrator | 6.2.0 |
| wso2 | enterprise_integrator | 6.3.0 |
| wso2 | enterprise_mobility_manager | 2.2.0 |
| wso2 | enterprise_service_bus | 5.0.0 |
| wso2 | identity_server | 5.2.0 |
| wso2 | identity_server | 5.3.0 |
| wso2 | identity_server | 5.4.0 |
| wso2 | identity_server | 5.4.1 |
| wso2 | identity_server | 5.5.0 |
| wso2 | identity_server | 5.6.0 |
| wso2 | identity_server | 5.7.0 |
| wso2 | identity_server | 5.8.0 |
| wso2 | identity_server | 5.9.0 |
| wso2 | identity_server | 5.10.0 |
| wso2 | identity_server | 5.11.0 |
| wso2 | identity_server | 6.0.0 |
| wso2 | identity_server | 6.1.0 |
| wso2 | identity_server | 7.0.0 |
| wso2 | identity_server | 7.1.0 |
| wso2 | identity_server_analytics | 5.2.0 |
| wso2 | identity_server_analytics | 5.3.0 |
| wso2 | identity_server_analytics | 5.5.0 |
| wso2 | identity_server_analytics | 5.6.0 |
| wso2 | identity_server_as_key_manager | 5.3.0 |
| wso2 | identity_server_as_key_manager | 5.5.0 |
| wso2 | identity_server_as_key_manager | 5.6.0 |
| wso2 | identity_server_as_key_manager | 5.7.0 |
| wso2 | identity_server_as_key_manager | 5.9.0 |
| wso2 | identity_server_as_key_manager | 5.10.0 |
| wso2 | open_banking_am | 1.4.0 |
| wso2 | open_banking_am | 1.5.0 |
| wso2 | open_banking_am | 2.0.0 |
| wso2 | open_banking_iam | 2.0.0 |
| wso2 | open_banking_km | 1.4.0 |
| wso2 | open_banking_km | 1.5.0 |
| wso2 | traffic_manager | 4.5.0 |
| wso2 | universal_gateway | 4.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an improper access control issue in multiple WSO2 products. It occurs because certain internal SOAP Admin Services and System REST APIs do not enforce permissions properly. As a result, a low-privileged user can exploit this flaw to perform unauthorized operations, including accessing sensitive server-level information. The vulnerability affects only internal administrative interfaces and does not impact APIs exposed through the WSO2 API Manager's API Gateway.
How can this vulnerability impact me? :
The vulnerability can have a severe impact as it allows a low-privileged user to perform unauthorized actions and access sensitive server-level information. This can lead to a complete compromise of confidentiality, integrity, and availability of the affected system, potentially resulting in data breaches, unauthorized data manipulation, and service disruption.