CVE-2025-9152 | THREATINT

Description

An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges, potentially leading to administrative access and the ability to perform unauthorized operations.

PUBLISHED Reserved 2025-08-19 | Published 2025-10-16 | Updated 2025-10-17 | Assigner WSO2

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Product status

Default status

unaffected

Any version before 3.2.0

unknown

3.2.0 before 3.2.0.437

affected

3.2.1 before 3.2.1.57

affected

4.0.0 before 4.0.0.357

affected

4.1.0 before 4.1.0.221

affected

4.2.0 before 4.2.0.159

affected

4.3.0 before 4.3.0.72

affected

4.4.0 before 4.4.0.35

affected

4.5.0 before 4.5.0.19

affected

Default status

unaffected

4.5.0 before 4.5.0.20

affected

Credits

crnković reporter

References

security.docs.wso2.com/...ty-advisories/2025/WSO2-2025-4483/ vendor-advisory

cve.org (CVE-2025-9152)

nvd.nist.gov (CVE-2025-9152)

Download JSON