CVE-2025-5605

MEDIUM EXPLOITED NUCLEI

Wso2 API Control Plane - Authentication Bypass by Spoofing

Title source: rule

Description

An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure. The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.

Nuclei Templates (1)

WSO2 Management Console - Authentication Bypass

MEDIUMVERIFIEDby DhiyaneshDK

Shodan: http.favicon.hash:1398055326

References (1)

[Vendor Advisory] https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/

Scores

CVSS v3 4.3

EPSS 0.0522

EPSS Percentile 90.0%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

VulnCheck KEV 2025-11-28

CWE

CWE-290

Status published

Products (22)

wso2/api_control_plane 4.5.0

wso2/api_manager 3.1.0

wso2/api_manager 3.2.0

wso2/api_manager 3.2.1

wso2/api_manager 4.0.0

wso2/api_manager 4.1.0

wso2/api_manager 4.2.0

wso2/api_manager 4.3.0

wso2/api_manager 4.4.0

wso2/api_manager 4.5.0

... and 12 more

Published Oct 24, 2025

Tracked Since Feb 18, 2026