CVE-2025-9804

Summary

An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.

This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Identity Server as Key Manager0 < 5.3.0unknown
WSO2WSO2 Identity Server as Key Manager5.3.0 < 5.3.0.41affected
WSO2WSO2 Identity Server as Key Manager5.5.0 < 5.5.0.53affected
WSO2WSO2 Identity Server as Key Manager5.6.0 < 5.6.0.75affected
WSO2WSO2 Identity Server as Key Manager5.7.0 < 5.7.0.125affected
WSO2WSO2 Identity Server as Key Manager5.9.0 < 5.9.0.176affected
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.359affected
WSO2WSO2 Identity Server0 < 5.2.0unknown
WSO2WSO2 Identity Server5.2.0 < 5.2.0.34affected
WSO2WSO2 Identity Server5.3.0 < 5.3.0.36affected
WSO2WSO2 Identity Server5.4.0 < 5.4.0.34affected
WSO2WSO2 Identity Server5.4.1 < 5.4.1.38affected
WSO2WSO2 Identity Server5.5.0 < 5.5.0.52affected
WSO2WSO2 Identity Server5.6.0 < 5.6.0.60affected
WSO2WSO2 Identity Server5.7.0 < 5.7.0.126affected
WSO2WSO2 Identity Server5.8.0 < 5.8.0.110affected
WSO2WSO2 Identity Server5.9.0 < 5.9.0.169affected
WSO2WSO2 Identity Server5.10.0 < 5.10.0.369affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.413affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.244affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.243affected
WSO2WSO2 Identity Server7.0.0 < 7.0.0.118affected
WSO2WSO2 Identity Server7.1.0 < 7.1.0.25affected
WSO2WSO2 Open Banking KM0 < 1.4.0unknown
WSO2WSO2 Open Banking KM1.4.0 < 1.4.0.133affected
WSO2WSO2 Open Banking KM1.5.0 < 1.5.0.123affected
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.409affected
WSO2WSO2 Open Banking AM0 < 1.4.0unknown
WSO2WSO2 Open Banking AM1.4.0 < 1.4.0.139affected
WSO2WSO2 Open Banking AM1.5.0 < 1.5.0.140affected
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.389affected
WSO2WSO2 API Manager0 < 2.0.0unknown
WSO2WSO2 API Manager2.0.0 < 2.0.0.31affected
WSO2WSO2 API Manager2.1.0 < 2.1.0.40affected
WSO2WSO2 API Manager2.2.0 < 2.2.0.59affected
WSO2WSO2 API Manager2.5.0 < 2.5.0.85affected
WSO2WSO2 API Manager2.6.0 < 2.6.0.146affected
WSO2WSO2 API Manager3.0.0 < 3.0.0.176affected
WSO2WSO2 API Manager3.1.0 < 3.1.0.340affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.441affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.61affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.361affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.224affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.162affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.75affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.39affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.23affected
WSO2WSO2 Identity Server Analytics0 < 5.2.0unknown
WSO2WSO2 Identity Server Analytics5.2.0 < 5.2.0.19affected
WSO2WSO2 Identity Server Analytics5.3.0 < 5.3.0.17affected
WSO2WSO2 Identity Server Analytics5.5.0 < 5.5.0.31affected
WSO2WSO2 Identity Server Analytics5.6.0 < 5.6.0.38affected
WSO2API Manager Analytics0 < 2.0.0unknown
WSO2API Manager Analytics2.0.0 < 2.0.0.14affected
WSO2API Manager Analytics2.1.0 < 2.1.0.19affected
WSO2API Manager Analytics2.2.0 < 2.2.0.30affected
WSO2API Manager Analytics2.5.0 < 2.5.0.39affected
WSO2WSO2 Enterprise Integrator0 < 6.2.0unknown
WSO2WSO2 Enterprise Integrator6.2.0 < 6.2.0.62affected
WSO2WSO2 Enterprise Integrator6.3.0 < 6.3.0.70affected
WSO2WSO2 Enterprise Service Bus Analytics0 < 5.0.0unknown
WSO2WSO2 Enterprise Service Bus Analytics5.0.0 < 5.0.0.13affected
WSO2WSO2 Data Analytics Server0 < 3.1.0unknown
WSO2WSO2 Data Analytics Server3.1.0 < 3.1.0.20affected
WSO2WSO2 Data Analytics Server3.2.0 < 3.2.0.33affected
WSO2WSO2 Enterprise Mobility Manager0 < 2.2.0unknown
WSO2WSO2 Enterprise Mobility Manager2.2.0 < 2.2.0.28affected
WSO2WSO2 Universal Gateway4.5.0 < 4.5.0.22affected
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.24affected
WSO2WSO2 Traffic Manager4.5.0 < 4.5.0.22affected
WSO2org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector2.0.10 < 2.0.10.1affected
WSO2org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector2.0.15 < 2.0.15.1affected
WSO2org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector2.0.21 < 2.0.21.1affected
WSO2org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector2.0.22 < 2.0.22.1affected
WSO2org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector2.1.12 < 2.1.12.1affected
WSO2org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector2.1 < 2.1.1972affected
WSO2org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector2.2 < 2.2.24affected
WSO2org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector2.2 < 2.2.25affected
WSO2org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector3.1.0 < 3.1.0.74affected
WSO2org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector3.3.6 < 3.3.6.7affected
WSO2org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector3.3.26 < 3.3.26.2affected
WSO2org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector3.3.35 < 3.3.35.1affected
WSO2org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector3.3.41 <= *unaffected
WSO2org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util6.7.206 < 6.7.206.567affected
WSO2org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util6.7.210 < 6.7.210.63affected
WSO2org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util9.0.174 < 9.0.174.522affected
WSO2org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util9.20.74 < 9.20.74.379affected
WSO2org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util9.28.116 < 9.28.116.360affected
WSO2org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util9.29.120 < 9.29.120.184affected
WSO2org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util9.30.67 < 9.30.67.109affected
WSO2org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util9.31.86 < 9.31.86.71affected
WSO2org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util9.32.133 <= *unaffected
WSO2org.wso2.carbon:org.wso2.carbon.base4.4.7 < 4.4.7.6affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.4.9 < 4.4.9.11affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.4.11 < 4.4.11.9affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.4.26 < 4.4.26.12affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.4.35 < 4.4.35.44affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.5.1 < 4.5.1.43affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.6.0 < 4.6.0.1990affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.6.1 < 4.6.1.149affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.6.2 < 4.6.2.667affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.6.3 < 4.6.3.36affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.6.4 < 4.6.4.14affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.7.1 < 4.7.1.68affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.8.1 < 4.8.1.39affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.9.0 < 4.9.0.99affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.9.26 < 4.9.26.25affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.9.27 < 4.9.27.10affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.9.28 < 4.9.28.11affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.10.9 < 4.10.9.66affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.10.42 < 4.10.42.9affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.9 < 4.9.29affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.10 < 4.10.94affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.2.0 < 5.2.0.4affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.2.2 < 5.2.2.21affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.7.5 < 5.7.5.18affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.11.148 < 5.11.148.19affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.11.256 < 5.11.256.21affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.12.153 < 5.12.153.63affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.12.387 < 5.12.387.46affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.14.97 < 5.14.97.89affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.17.5 < 5.17.5.317affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.17.118 < 5.17.118.17affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.18.187 < 5.18.187.309affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.18.248 < 5.18.248.30affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.23.8 < 5.23.8.207affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.24.8 < 5.24.8.23affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.25.92 < 5.25.92.152affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.25.705 < 5.25.705.19affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.25.713 < 5.25.713.9affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.25.724 < 5.25.724.3affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt7.0.78 < 7.0.78.133affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt7.8.23 < 7.8.23.47affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.25 < 5.25.734affected
WSO2org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt7.8.489 <= *unaffected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.4.7 < 4.4.7.6affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.4.9 < 4.4.9.11affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.4.11 < 4.4.11.9affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.4.26 < 4.4.26.12affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.4.32 < 4.4.32.16affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.4.35 < 4.4.35.44affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.5.1 < 4.5.1.43affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.6.0 < 4.6.0.1990affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.6.1 < 4.6.1.149affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.6.2 < 4.6.2.667affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.6.3 < 4.6.3.36affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.6.4 < 4.6.4.14affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.7.1 < 4.7.1.68affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.8.1 < 4.8.1.39affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.9.0 < 4.9.0.99affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.9.26 < 4.9.26.25affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.9.27 < 4.9.27.10affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.9.28 < 4.9.28.11affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.10.9 < 4.10.9.66affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.10.42 < 4.10.42.9affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.9 < 4.9.29affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.10 < 4.10.94affected
WSO2org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow5.1.1 < 5.1.1.1affected
WSO2org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow5.1.2 < 5.1.2.1affected
WSO2org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow5.1.5 < 5.1.5.1affected
WSO2org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow5.3.3 < 5.3.3.1affected
WSO2org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow5.4.0 < 5.4.0.4affected
WSO2org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow5.4.1 < 5.4.1.5affected
WSO2org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow5.6.0 < 5.6.0.1affected
WSO2org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow5.6.21 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References