CVE-2025-9955

Summary

An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details that are not intended to be exposed at that privilege level.

While no credentials or sensitive user information are exposed, this vulnerability may allow unauthorized visibility into internal operational details, which could aid in further exploitation or reconnaissance.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Enterprise Integrator0 < 6.0.0unknown
WSO2WSO2 Enterprise Integrator6.0.0 < 6.0.0.22affected
WSO2WSO2 Enterprise Integrator6.1.0 < 6.1.0.39affected
WSO2WSO2 Enterprise Integrator6.1.1 < 6.1.1.43affected
WSO2WSO2 Enterprise Integrator6.2.0 < 6.2.0.62affected
WSO2WSO2 Enterprise Integrator6.3.0 < 6.3.0.70affected
WSO2WSO2 Enterprise Integrator6.4.0 < 6.4.0.100affected
WSO2WSO2 Enterprise Integrator6.5.0 < 6.5.0.107affected
WSO2WSO2 Enterprise Integrator6.6.0 < 6.6.0.222affected
WSO2WSO2 Enterprise Service Bus0 < 5.0.0unknown
WSO2WSO2 Enterprise Service Bus5.0.0 < 5.0.0.29affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.4.8 < 4.4.8.7affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.4.14 < 4.4.14.5affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.4.16 < 4.4.16.9affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.4.26 < 4.4.26.13affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.4.32 < 4.4.32.16affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.4.36 < 4.4.36.7affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.4.40 < 4.4.40.37affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.5.3 < 4.5.3.45affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.9 < 4.9.29affected
WSO2org.wso2.carbon:org.wso2.carbon.base4.10 < 4.10.94affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.4.8 < 4.4.8.7affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.4.14 < 4.4.14.5affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.4.16 < 4.4.16.9affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.4.26 < 4.4.26.13affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.4.32 < 4.4.32.16affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.4.36 < 4.4.36.7affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.4.40 < 4.4.40.37affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.5.3 < 4.5.3.45affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.9 < 4.9.29affected
WSO2org.wso2.carbon:org.wso2.carbon.server.admin4.10 < 4.10.94affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References