CVE-2025-10611 | THREATINT

Description

Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.

PUBLISHED Reserved 2025-09-17 | Published 2025-10-16 | Updated 2025-10-16 | Assigner WSO2

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Product status

Default status

unaffected

Any version before 2.1.0

unknown

2.1.0 before 2.1.0.42

affected

2.2.0 before 2.2.0.61

affected

2.5.0 before 2.5.0.87

affected

2.6.0 before 2.6.0.148

affected

3.0.0 before 3.0.0.178

affected

3.1.0 before 3.1.0.345

affected

3.2.0 before 3.2.0.446

affected

3.2.1 before 3.2.1.66

affected

4.0.0 before 4.0.0.366

affected

4.1.0 before 4.1.0.228

affected

4.2.0 before 4.2.0.169

affected

4.3.0 before 4.3.0.81

affected

4.4.0 before 4.4.0.45

affected

4.5.0 before 4.5.0.28

affected

Default status

unaffected

4.5.0 before 4.5.0.29

affected

Default status

unaffected

Any version before 1.4.0

unknown

1.4.0 before 1.4.0.141

affected

1.5.0 before 1.5.0.142

affected

2.0.0 before 2.0.0.394

affected

Default status

unaffected

Any version before 2.0.0

unknown

2.0.0 before 2.0.0.414

affected

Default status

unaffected

Any version before 5.3.0

unknown

5.3.0 before 5.3.0.39

affected

5.5.0 before 5.5.0.54

affected

5.6.0 before 5.6.0.62

affected

5.7.0 before 5.7.0.128

affected

5.8.0 before 5.8.0.112

affected

5.9.0 before 5.9.0.171

affected

5.10.0 before 5.10.0.375

affected

5.11.0 before 5.11.0.419

affected

6.0.0 before 6.0.0.248

affected

6.1.0 before 6.1.0.248

affected

7.0.0 before 7.0.0.124

affected

7.1.0 before 7.1.0.31

affected

Default status

unaffected

Any version before 5.3.0

unknown

5.3.0 before 5.3.0.44

affected

5.5.0 before 5.5.0.55

affected

5.6.0 before 5.6.0.77

affected

5.7.0 before 5.7.0.127

affected

5.9.0 before 5.9.0.178

affected

5.10.0 before 5.10.0.365

affected

Default status

unaffected

Any version before 1.4.0

unknown

1.4.0 before 1.4.0.135

affected

1.5.0 before 1.5.0.125

affected

Default status

unaffected

4.5.0 before 4.5.0.27

affected

Default status

unaffected

4.5.0 before 4.5.0.27

affected

Default status

unknown

1.1.1 before 1.1.1.7

affected

1.1.16 before 1.1.16.6

affected

1.1.18 before 1.1.18.7

affected

1.1.20 before 1.1.20.9

affected

1.1.26 before 1.1.26.11

affected

1.3.6 before 1.3.6.11

affected

1.4.0 before 1.4.0.21

affected

1.4.25 before 1.4.25.27

affected

1.4.52 before 1.4.52.6

affected

1.6.1 before 1.6.1.12

affected

1.7.1 before 1.7.1.7

affected

1.8.11 before 1.8.11.8

affected

1.8.41 before 1.8.41.4

affected

1.9.4 before 1.9.4.9

affected

1.9.18 before 1.9.18.7

affected

1.8 before 1.8.48

affected

1.9.46

unaffected

Default status

unknown

1.1.1 before 1.1.1.7

affected

1.1.16 before 1.1.16.6

affected

1.1.18 before 1.1.18.7

affected

1.1.20 before 1.1.20.9

affected

1.1.26 before 1.1.26.11

affected

1.3.6 before 1.3.6.11

affected

1.4.0 before 1.4.0.21

affected

1.4.25 before 1.4.25.27

affected

1.4.52 before 1.4.52.6

affected

1.6.1 before 1.6.1.12

affected

1.7.1 before 1.7.1.7

affected

1.8.11 before 1.8.11.8

affected

1.8.41 before 1.8.41.4

affected

1.9.4 before 1.9.4.9

affected

1.9.18 before 1.9.18.7

affected

1.8 before 1.8.48

affected

1.9.46

unaffected

References

security.docs.wso2.com/...ty-advisories/2025/WSO2-2025-4585/ vendor-advisory

cve.org (CVE-2025-10611)

nvd.nist.gov (CVE-2025-10611)

Download JSON