QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-9804

Back to search

CVE-2025-9804

Published: Oct 16, 2025

Modified: Oct 17, 2025

PUBLISHED

CVSS v3.1

9.6

CRITICAL

Description

An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.

VendorProductVersions

WSO2

WSO2 Identity Server as Key Manager

unknown
0 - < 5.3.0
affected
5.3.0 - < 5.3.0.41
affected
5.5.0 - < 5.5.0.53
affected
5.6.0 - < 5.6.0.75
affected
5.7.0 - < 5.7.0.125

+2 more versions

WSO2

WSO2 Identity Server

unknown
0 - < 5.2.0
affected
5.2.0 - < 5.2.0.34
affected
5.3.0 - < 5.3.0.36
affected
5.4.0 - < 5.4.0.34
affected
5.4.1 - < 5.4.1.38

+11 more versions

WSO2

WSO2 Open Banking KM

unknown
0 - < 1.4.0
affected
1.4.0 - < 1.4.0.133
affected
1.5.0 - < 1.5.0.123

WSO2

WSO2 Open Banking IAM

unknown
0 - < 2.0.0
affected
2.0.0 - < 2.0.0.409

WSO2

WSO2 Open Banking AM

unknown
0 - < 1.4.0
affected
1.4.0 - < 1.4.0.139
affected
1.5.0 - < 1.5.0.140
affected
2.0.0 - < 2.0.0.389

WSO2

WSO2 API Manager

unknown
0 - < 2.0.0
affected
2.0.0 - < 2.0.0.31
affected
2.1.0 - < 2.1.0.40
affected
2.2.0 - < 2.2.0.59
affected
2.5.0 - < 2.5.0.85

+11 more versions

WSO2

WSO2 Identity Server Analytics

unknown
0 - < 5.2.0
affected
5.2.0 - < 5.2.0.19
affected
5.3.0 - < 5.3.0.17
affected
5.5.0 - < 5.5.0.31
affected
5.6.0 - < 5.6.0.38

WSO2

API Manager Analytics

unknown
0 - < 2.0.0
affected
2.0.0 - < 2.0.0.14
affected
2.1.0 - < 2.1.0.19
affected
2.2.0 - < 2.2.0.30
affected
2.5.0 - < 2.5.0.39

WSO2

WSO2 Enterprise Integrator

unknown
0 - < 6.2.0
affected
6.2.0 - < 6.2.0.62
affected
6.3.0 - < 6.3.0.70

WSO2

WSO2 Enterprise Service Bus Analytics

unknown
0 - < 5.0.0
affected
5.0.0 - < 5.0.0.13

WSO2

WSO2 Data Analytics Server

unknown
0 - < 3.1.0
affected
3.1.0 - < 3.1.0.20
affected
3.2.0 - < 3.2.0.33

WSO2

WSO2 Enterprise Mobility Manager

unknown
0 - < 2.2.0
affected
2.2.0 - < 2.2.0.28

WSO2

WSO2 Universal Gateway

affected
4.5.0 - < 4.5.0.22

WSO2

WSO2 API Control Plane

affected
4.5.0 - < 4.5.0.24

WSO2

WSO2 Traffic Manager

affected
4.5.0 - < 4.5.0.22

WSO2

org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector

affected
2.0.10 - < 2.0.10.1
affected
2.0.15 - < 2.0.15.1
affected
2.0.21 - < 2.0.21.1
affected
2.0.22 - < 2.0.22.1
affected
2.1.12 - < 2.1.12.1

+8 more versions

WSO2

org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util

affected
6.7.206 - < 6.7.206.567
affected
6.7.210 - < 6.7.210.63
affected
9.0.174 - < 9.0.174.522
affected
9.20.74 - < 9.20.74.379
affected
9.28.116 - < 9.28.116.360

+4 more versions

WSO2

org.wso2.carbon:org.wso2.carbon.base

affected
4.4.7 - < 4.4.7.6
affected
4.4.9 - < 4.4.9.11
affected
4.4.11 - < 4.4.11.9
affected
4.4.26 - < 4.4.26.12
affected
4.4.35 - < 4.4.35.44

+16 more versions

WSO2

org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt

affected
5.2.0 - < 5.2.0.4
affected
5.2.2 - < 5.2.2.21
affected
5.7.5 - < 5.7.5.18
affected
5.11.148 - < 5.11.148.19
affected
5.11.256 - < 5.11.256.21

+17 more versions

WSO2

org.wso2.carbon:org.wso2.carbon.server.admin

affected
4.4.7 - < 4.4.7.6
affected
4.4.9 - < 4.4.9.11
affected
4.4.11 - < 4.4.11.9
affected
4.4.26 - < 4.4.26.12
affected
4.4.32 - < 4.4.32.16

+17 more versions

WSO2

org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow

affected
5.1.1 - < 5.1.1.1
affected
5.1.2 - < 5.1.2.1
affected
5.1.5 - < 5.1.5.1
affected
5.3.3 - < 5.3.3.1
affected
5.4.0 - < 5.4.0.4

+3 more versions

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now