CVE-2025-9804
Severity CVSS v4.0:
Pending analysis
Type:
CWE-284
Improper Access Control
Publication date:
16/10/2025
Last modified:
21/11/2025
Description
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.<br />
<br />
This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager&#39;s API Gateway remain unaffected.
Impact
Base Score 3.x
9.60
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:2.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:2.1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:2.5.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page