An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.

Metrics

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Vendors Products
Wso2
  • Api Control Plane
  • Api Manager
  • Api Manager Analytics
  • Carbon
  • Carbon Identity Application Authentication Framework
  • Data Analytics Server
  • Enterprise Integrator
  • Enterprise Mobility Manager
  • Identity Server
  • Identity Server Analytics
  • Identity Server As Key Manager
  • Open Banking Am
  • Open Banking Iam
  • Open Banking Km
  • Traffic Manager
  • Universal Gateway

No data.

No data.

References
Link Providers
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/ cve-icon cve-icon
History

Tue, 21 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wso2
Wso2 api Control Plane
Wso2 api Manager
Wso2 api Manager Analytics
Wso2 carbon
Wso2 carbon Identity Application Authentication Framework
Wso2 data Analytics Server
Wso2 enterprise Integrator
Wso2 enterprise Mobility Manager
Wso2 identity Server
Wso2 identity Server Analytics
Wso2 identity Server As Key Manager
Wso2 open Banking Am
Wso2 open Banking Iam
Wso2 open Banking Km
Wso2 traffic Manager
Wso2 universal Gateway
Vendors & Products Wso2
Wso2 api Control Plane
Wso2 api Manager
Wso2 api Manager Analytics
Wso2 carbon
Wso2 carbon Identity Application Authentication Framework
Wso2 data Analytics Server
Wso2 enterprise Integrator
Wso2 enterprise Mobility Manager
Wso2 identity Server
Wso2 identity Server Analytics
Wso2 identity Server As Key Manager
Wso2 open Banking Am
Wso2 open Banking Iam
Wso2 open Banking Km
Wso2 traffic Manager
Wso2 universal Gateway

Fri, 17 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Thu, 16 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Oct 2025 13:00:00 +0000

Type Values Removed Values Added
Description An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
Title Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs
References
Metrics cvssV3_1

{'score': 8.9, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}
cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published:

Updated: 2025-10-17T16:01:25.350Z

Reserved: 2025-09-01T13:11:12.678Z

Link: CVE-2025-9804

cve-icon Vulnrichment

Updated: 2025-10-16T13:21:20.748Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-10-16T13:15:42.130

Modified: 2025-10-17T16:15:39.670

Link: CVE-2025-9804

cve-icon Redhat

No data.