CVE-2025-9804
CRITICALWSO2 API Manager and Analytics - Improper Access Control in SOAP Admin Services and System REST APIs
Title source: llmDescription
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/
Scores
CVSS v3
9.6
EPSS
0.0051
EPSS Percentile
39.4%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-284
Status
published
Products (50)
wso2/api_control_plane
4.5.0
wso2/api_manager
2.0.0
wso2/api_manager
2.1.0
wso2/api_manager
2.2.0
wso2/api_manager
2.5.0
wso2/api_manager
2.6.0
wso2/api_manager
3.0.0
wso2/api_manager
3.1.0
wso2/api_manager
3.2.0
wso2/api_manager
3.2.1
... and 40 more
Published
Oct 16, 2025
Tracked Since
Feb 18, 2026