CVE-2025-5605

Summary

An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.

The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Identity Server0 < 5.10.0unknown
WSO2WSO2 Identity Server5.10.0 < 5.10.0.361affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.414affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.245affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.244affected
WSO2WSO2 Identity Server7.0.0 < 7.0.0.119affected
WSO2WSO2 Identity Server7.1.0 < 7.1.0.25affected
WSO2WSO2 Enterprise Integrator0 < 6.6.0unknown
WSO2WSO2 Enterprise Integrator6.6.0 < 6.6.0.217affected
WSO2WSO2 Universal Gateway4.5.0 < 4.5.0.10affected
WSO2WSO2 Traffic Manager4.5.0 < 4.5.0.10affected
WSO2WSO2 API Manager0 < 3.1.0unknown
WSO2WSO2 API Manager3.1.0 < 3.1.0.334affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.430affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.48affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.346affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.210affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.148affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.61affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.24affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.10affected
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.11affected
WSO2WSO2 Identity Server as Key Manager0 < 5.10.0unknown
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.354affected
WSO2WSO2 Open Banking AM0 < 2.0.0unknown
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.382affected
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.403affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.5.3 < 4.5.3.40affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.6.0 < 4.6.0.1224affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.6.1 < 4.6.1.150affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.6.2 < 4.6.2.664affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.6.3 < 4.6.3.32affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.6.4 < 4.6.4.8affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.7.1 < 4.7.1.69affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.8.1 < 4.8.1.33affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.9.0 < 4.9.0.100affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.9.26 < 4.9.26.20affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.9.27 < 4.9.27.4affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.9.28 < 4.9.28.4affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.10.9 < 4.10.9.68affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.10.42 < 4.10.42.10affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.9.29 <= 4.9.*unaffected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.10.90 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References