CVE-2025-9152

Summary

An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint.

A malicious user can exploit this flaw to generate access tokens with elevated privileges, potentially leading to administrative access and the ability to perform unauthorized operations.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 API Manager0 < 3.2.0unknown
WSO2WSO2 API Manager3.2.0 < 3.2.0.437affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.57affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.357affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.221affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.159affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.72affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.35affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.19affected
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.20affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References