An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.

This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
Advisories

No advisories yet.

Fixes

Solution

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution


Workaround

No workaround given by the vendor.

History

Tue, 21 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wso2
Wso2 api Control Plane
Wso2 api Manager
Wso2 api Manager Analytics
Wso2 carbon
Wso2 carbon Identity Application Authentication Framework
Wso2 data Analytics Server
Wso2 enterprise Integrator
Wso2 enterprise Mobility Manager
Wso2 identity Server
Wso2 identity Server Analytics
Wso2 identity Server As Key Manager
Wso2 open Banking Am
Wso2 open Banking Iam
Wso2 open Banking Km
Wso2 traffic Manager
Wso2 universal Gateway
Vendors & Products Wso2
Wso2 api Control Plane
Wso2 api Manager
Wso2 api Manager Analytics
Wso2 carbon
Wso2 carbon Identity Application Authentication Framework
Wso2 data Analytics Server
Wso2 enterprise Integrator
Wso2 enterprise Mobility Manager
Wso2 identity Server
Wso2 identity Server Analytics
Wso2 identity Server As Key Manager
Wso2 open Banking Am
Wso2 open Banking Iam
Wso2 open Banking Km
Wso2 traffic Manager
Wso2 universal Gateway

Fri, 17 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Thu, 16 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 16 Oct 2025 13:00:00 +0000

Type Values Removed Values Added
Description An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
Title Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs
References
Metrics cvssV3_1

{'score': 8.9, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published:

Updated: 2025-10-17T16:01:25.350Z

Reserved: 2025-09-01T13:11:12.678Z

Link: CVE-2025-9804

cve-icon Vulnrichment

Updated: 2025-10-16T13:21:20.748Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-10-16T13:15:42.130

Modified: 2025-10-17T16:15:39.670

Link: CVE-2025-9804

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-10-21T09:39:57Z