CVE-2025-10611

Summary

Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation.

Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 API Manager0 < 2.1.0unknown
WSO2WSO2 API Manager2.1.0 < 2.1.0.42affected
WSO2WSO2 API Manager2.2.0 < 2.2.0.61affected
WSO2WSO2 API Manager2.5.0 < 2.5.0.87affected
WSO2WSO2 API Manager2.6.0 < 2.6.0.148affected
WSO2WSO2 API Manager3.0.0 < 3.0.0.178affected
WSO2WSO2 API Manager3.1.0 < 3.1.0.345affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.446affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.66affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.366affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.228affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.169affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.81affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.45affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.28affected
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.29affected
WSO2WSO2 Open Banking AM0 < 1.4.0unknown
WSO2WSO2 Open Banking AM1.4.0 < 1.4.0.141affected
WSO2WSO2 Open Banking AM1.5.0 < 1.5.0.142affected
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.394affected
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.414affected
WSO2WSO2 Identity Server0 < 5.3.0unknown
WSO2WSO2 Identity Server5.3.0 < 5.3.0.39affected
WSO2WSO2 Identity Server5.5.0 < 5.5.0.54affected
WSO2WSO2 Identity Server5.6.0 < 5.6.0.62affected
WSO2WSO2 Identity Server5.7.0 < 5.7.0.128affected
WSO2WSO2 Identity Server5.8.0 < 5.8.0.112affected
WSO2WSO2 Identity Server5.9.0 < 5.9.0.171affected
WSO2WSO2 Identity Server5.10.0 < 5.10.0.375affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.419affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.248affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.248affected
WSO2WSO2 Identity Server7.0.0 < 7.0.0.124affected
WSO2WSO2 Identity Server7.1.0 < 7.1.0.31affected
WSO2WSO2 Identity Server as Key Manager0 < 5.3.0unknown
WSO2WSO2 Identity Server as Key Manager5.3.0 < 5.3.0.44affected
WSO2WSO2 Identity Server as Key Manager5.5.0 < 5.5.0.55affected
WSO2WSO2 Identity Server as Key Manager5.6.0 < 5.6.0.77affected
WSO2WSO2 Identity Server as Key Manager5.7.0 < 5.7.0.127affected
WSO2WSO2 Identity Server as Key Manager5.9.0 < 5.9.0.178affected
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.365affected
WSO2WSO2 Open Banking KM0 < 1.4.0unknown
WSO2WSO2 Open Banking KM1.4.0 < 1.4.0.135affected
WSO2WSO2 Open Banking KM1.5.0 < 1.5.0.125affected
WSO2WSO2 Universal Gateway4.5.0 < 4.5.0.27affected
WSO2WSO2 Traffic Manager4.5.0 < 4.5.0.27affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.1.1 < 1.1.1.7affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.1.16 < 1.1.16.6affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.1.18 < 1.1.18.7affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.1.20 < 1.1.20.9affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.1.26 < 1.1.26.11affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.3.6 < 1.3.6.11affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.4.0 < 1.4.0.21affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.4.25 < 1.4.25.27affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.4.52 < 1.4.52.6affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.6.1 < 1.6.1.12affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.7.1 < 1.7.1.7affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.8.11 < 1.8.11.8affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.8.41 < 1.8.41.4affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.9.4 < 1.9.4.9affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.9.18 < 1.9.18.7affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.8 < 1.8.48affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service1.9.46 <= *unaffected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.1.1 < 1.1.1.7affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.1.16 < 1.1.16.6affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.1.18 < 1.1.18.7affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.1.20 < 1.1.20.9affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.1.26 < 1.1.26.11affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.3.6 < 1.3.6.11affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.4.0 < 1.4.0.21affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.4.25 < 1.4.25.27affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.4.52 < 1.4.52.6affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.6.1 < 1.6.1.12affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.7.1 < 1.7.1.7affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.8.11 < 1.8.11.8affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.8.41 < 1.8.41.4affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.9.4 < 1.9.4.9affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.9.18 < 1.9.18.7affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.8 < 1.8.48affected
WSO2org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve1.9.46 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References