CVE-2024-7097

MEDIUM EXPLOITED NUCLEI

Wso2 API Manager - Incorrect Authorization

Title source: rule

Description

An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization. Exploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system resource exhaustion through mass user creation.

Nuclei Templates (1)

WSO2 User Registration - Arbitrary Account Creation

MEDIUMVERIFIEDby iamnoooob,rootxharsh,pdresearch

Shodan: WSO2 Carbon Server

References (1)

[Vendor Advisory] https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3574/

Scores

CVSS v3 4.3

EPSS 0.2681

EPSS Percentile 96.4%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

VulnCheck KEV 2025-02-02

CWE

CWE-863

Status published

Products (37)

wso2/api_manager 2.1.0

wso2/api_manager 2.2.0

wso2/api_manager 2.5.0

wso2/api_manager 2.6.0

wso2/api_manager 3.0.0

wso2/api_manager 3.1.0

wso2/api_manager 3.2.0

wso2/api_manager 3.2.1

wso2/api_manager 4.0.0

wso2/api_manager 4.1.0

... and 27 more

Published May 30, 2025

Tracked Since Feb 18, 2026