CVE-2025-9804 – WSO2 Products Improper Access Control Vulnerability in Internal APIs

Vulnerability

Patched

A vulnerability allowing improper access control has been identified in multiple WSO2 products. This issue arises from inadequate permission enforcement in certain internal SOAP Admin Services and System REST APIs, allowing low-privileged users to perform unauthorized operations, such as accessing server-level information. The vulnerability is limited to internal administrative interfaces, with APIs exposed through the WSO2 API Manager's API Gateway remaining unaffected.

Impact

Exploitation of this vulnerability could enable unauthorized users to perform restricted actions or access sensitive server-level information on the affected WSO2 product.

Remediation

Users can apply the relevant fixes available on GitHub for their specific WSO2 product version. For WSO2 Support Subscription Holders, updates can be applied through the WSO2 Updates service.

Added: Oct 16, 2025, 1:18 PM

Updated: Oct 16, 2025, 3:42 PM

Affected Products

WSO2 API Manager Analytics

Moderate fix4 remedies

cpe:2.3:a:wso2:api_manager_analytics:*:*:*:*:*:*:*

Moderate fix4 remedies

2.5.0
2.2.0
2.1.0
2.0.0

WSO2 API Manager

Moderate fix16 remedies

cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*

Moderate fix16 remedies

>= 4.5.0, < 4.5.0-23
>= 4.4.0, < 4.4.0-39
>= 4.3.0, < 4.3.0-75
>= 4.2.0, < 4.2.0-162
>= 4.1.0, < 4.1.0-224
>= 4.0.0, < 4.0.0-361
>= 3.2.1, < 3.2.1-61
>= 3.2.0, < 3.2.0-441
>= 3.1.0, < 3.1.0-340
>= 3.0.0, < 3.0.0-176
>= 2.6.0, < 2.6.0-146
>= 2.5.0, < 2.5.0-85
>= 2.2.0, < 2.2.0-59
>= 2.1.0, < 2.1.0-40
>= 2.0.0, < 2.0.0-31

WSO2 Data Analytics Server

Moderate fix2 remedies

cpe:2.3:a:wso2:data_analytics_server:*:*:*:*:*:*:*

Moderate fix2 remedies

3.2.0
3.1.0

WSO2 Enterprise Integrator

Moderate fix2 remedies

cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*

Moderate fix2 remedies

6.3.0
6.2.0

WSO2 Enterprise Mobility Manager

Moderate fix1 remedy

cpe:2.3:a:wso2:enterprise_mobility_manager:*:*:*:*:*:*:*

Moderate fix1 remedy

2.2.0

WSO2 Identity Server Analytics

Moderate fix4 remedies

cpe:2.3:a:wso2:identity_server_analytics:*:*:*:*:*:*:*

Moderate fix4 remedies

5.6.0
5.5.0
5.3.0
5.2.0

WSO2 Identity Server as Key Manager

Moderate fix6 remedies

cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*

Moderate fix6 remedies

5.10.0
5.9.0
5.7.0
5.6.0
5.5.0
5.3.0

WSO2 Identity Server

Moderate fix15 remedies

cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*

Moderate fix15 remedies

7.1.0
7.0.0
6.1.0
6.0.0
5.11.0
5.10.0
5.9.0
5.8.0
5.7.0
5.6.0
5.5.0
5.4.1
5.4.0
5.3.0
5.2.0

WSO2 Open Banking AM

Moderate fix3 remedies

cpe:2.3:a:wso2:open_banking_am:*:*:*:*:*:*:*

Moderate fix3 remedies

2.0.0
1.5.0
1.4.0

WSO2 Open Banking IAM

Moderate fix1 remedy

cpe:2.3:a:wso2:open_banking_iam:*:*:*:*:*:*:*

Moderate fix1 remedy

2.0.0

WSO2 Open Banking KM

Moderate fix2 remedies

cpe:2.3:a:wso2:open_banking_km:*:*:*:*:*:*:*

Moderate fix2 remedies

1.5.0
1.4.0

CVSS Scores

volerion

7.0

CVSS 4.0

7.0

High

volerion

6.3

CVSS 3.1

6.3

Medium

nvd@nist.gov

6.5

CVSS 3.1

6.5

Medium

Vendor

9.6

CVSS 3.1

9.6

Critical

Click a row to open the calculator.

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/

AdvisoryBundleRemedyVendor

Showing 1-1 of 1 references

WSO2 Products Improper Access Control Vulnerability in Internal APIs

Vulnerability

Impact

Remediation

Affected Products

WSO2 API Manager Analytics

WSO2 API Manager

WSO2 Data Analytics Server

WSO2 Enterprise Integrator

WSO2 Enterprise Mobility Manager

WSO2 Identity Server Analytics

WSO2 Identity Server as Key Manager

WSO2 Identity Server

WSO2 Open Banking AM

WSO2 Open Banking IAM

WSO2 Open Banking KM

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating