CVE-2025-9804 | THREATINT

Description

An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.

PUBLISHED Reserved 2025-09-01 | Published 2025-10-16 | Updated 2025-10-17 | Assigner WSO2

CRITICAL: 9.6CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

For WSO2 API Manager

HIGH: 8.9CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

For WSO2 Identity Server

Product status

Default status

unaffected

Any version before 5.3.0

unknown

5.3.0 before 5.3.0.41

affected

5.5.0 before 5.5.0.53

affected

5.6.0 before 5.6.0.75

affected

5.7.0 before 5.7.0.125

affected

5.9.0 before 5.9.0.176

affected

5.10.0 before 5.10.0.359

affected

Default status

unaffected

Any version before 5.2.0

unknown

5.2.0 before 5.2.0.34

affected

5.3.0 before 5.3.0.36

affected

5.4.0 before 5.4.0.34

affected

5.4.1 before 5.4.1.38

affected

5.5.0 before 5.5.0.52

affected

5.6.0 before 5.6.0.60

affected

5.7.0 before 5.7.0.126

affected

5.8.0 before 5.8.0.110

affected

5.9.0 before 5.9.0.169

affected

5.10.0 before 5.10.0.369

affected

5.11.0 before 5.11.0.413

affected

6.0.0 before 6.0.0.244

affected

6.1.0 before 6.1.0.243

affected

7.0.0 before 7.0.0.118

affected

7.1.0 before 7.1.0.25

affected

Default status

unaffected

Any version before 1.4.0

unknown

1.4.0 before 1.4.0.133

affected

1.5.0 before 1.5.0.123

affected

Default status

unaffected

Any version before 2.0.0

unknown

2.0.0 before 2.0.0.409

affected

Default status

unaffected

Any version before 1.4.0

unknown

1.4.0 before 1.4.0.139

affected

1.5.0 before 1.5.0.140

affected

2.0.0 before 2.0.0.389

affected

Default status

unaffected

Any version before 2.0.0

unknown

2.0.0 before 2.0.0.31

affected

2.1.0 before 2.1.0.40

affected

2.2.0 before 2.2.0.59

affected

2.5.0 before 2.5.0.85

affected

2.6.0 before 2.6.0.146

affected

3.0.0 before 3.0.0.176

affected

3.1.0 before 3.1.0.340

affected

3.2.0 before 3.2.0.441

affected

3.2.1 before 3.2.1.61

affected

4.0.0 before 4.0.0.361

affected

4.1.0 before 4.1.0.224

affected

4.2.0 before 4.2.0.162

affected

4.3.0 before 4.3.0.75

affected

4.4.0 before 4.4.0.39

affected

4.5.0 before 4.5.0.23

affected

Default status

unaffected

Any version before 5.2.0

unknown

5.2.0 before 5.2.0.19

affected

5.3.0 before 5.3.0.17

affected

5.5.0 before 5.5.0.31

affected

5.6.0 before 5.6.0.38

affected

Default status

unaffected

Any version before 2.0.0

unknown

2.0.0 before 2.0.0.14

affected

2.1.0 before 2.1.0.19

affected

2.2.0 before 2.2.0.30

affected

2.5.0 before 2.5.0.39

affected

Default status

unaffected

Any version before 6.2.0

unknown

6.2.0 before 6.2.0.62

affected

6.3.0 before 6.3.0.70

affected

Default status

unaffected

Any version before 5.0.0

unknown

5.0.0 before 5.0.0.13

affected

Default status

unaffected

Any version before 3.1.0

unknown

3.1.0 before 3.1.0.20

affected

3.2.0 before 3.2.0.33

affected

Default status

unaffected

Any version before 2.2.0

unknown

2.2.0 before 2.2.0.28

affected

Default status

unaffected

4.5.0 before 4.5.0.22

affected

Default status

unaffected

4.5.0 before 4.5.0.24

affected

Default status

unaffected

4.5.0 before 4.5.0.22

affected

Default status

unknown

2.0.10 before 2.0.10.1

affected

2.0.15 before 2.0.15.1

affected

2.0.21 before 2.0.21.1

affected

2.0.22 before 2.0.22.1

affected

2.1.12 before 2.1.12.1

affected

2.1 before 2.1.1972

affected

2.2 before 2.2.24

affected

2.2 before 2.2.25

affected

3.1.0 before 3.1.0.74

affected

3.3.6 before 3.3.6.7

affected

3.3.26 before 3.3.26.2

affected

3.3.35 before 3.3.35.1

affected

3.3.41

unaffected

Default status

unknown

6.7.206 before 6.7.206.567

affected

6.7.210 before 6.7.210.63

affected

9.0.174 before 9.0.174.522

affected

9.20.74 before 9.20.74.379

affected

9.28.116 before 9.28.116.360

affected

9.29.120 before 9.29.120.184

affected

9.30.67 before 9.30.67.109

affected

9.31.86 before 9.31.86.71

affected

9.32.133

unaffected

Default status

unknown

4.4.7 before 4.4.7.6

affected

4.4.9 before 4.4.9.11

affected

4.4.11 before 4.4.11.9

affected

4.4.26 before 4.4.26.12

affected

4.4.35 before 4.4.35.44

affected

4.5.1 before 4.5.1.43

affected

4.6.0 before 4.6.0.1990

affected

4.6.1 before 4.6.1.149

affected

4.6.2 before 4.6.2.667

affected

4.6.3 before 4.6.3.36

affected

4.6.4 before 4.6.4.14

affected

4.7.1 before 4.7.1.68

affected

4.8.1 before 4.8.1.39

affected

4.9.0 before 4.9.0.99

affected

4.9.26 before 4.9.26.25

affected

4.9.27 before 4.9.27.10

affected

4.9.28 before 4.9.28.11

affected

4.10.9 before 4.10.9.66

affected

4.10.42 before 4.10.42.9

affected

4.9 before 4.9.29

affected

4.10 before 4.10.94

affected

Default status

unknown

5.2.0 before 5.2.0.4

affected

5.2.2 before 5.2.2.21

affected

5.7.5 before 5.7.5.18

affected

5.11.148 before 5.11.148.19

affected

5.11.256 before 5.11.256.21

affected

5.12.153 before 5.12.153.63

affected

5.12.387 before 5.12.387.46

affected

5.14.97 before 5.14.97.89

affected

5.17.5 before 5.17.5.317

affected

5.17.118 before 5.17.118.17

affected

5.18.187 before 5.18.187.309

affected

5.18.248 before 5.18.248.30

affected

5.23.8 before 5.23.8.207

affected

5.24.8 before 5.24.8.23

affected

5.25.92 before 5.25.92.152

affected

5.25.705 before 5.25.705.19

affected

5.25.713 before 5.25.713.9

affected

5.25.724 before 5.25.724.3

affected

7.0.78 before 7.0.78.133

affected

7.8.23 before 7.8.23.47

affected

5.25 before 5.25.734

affected

7.8.489

unaffected

Default status

unknown

4.4.7 before 4.4.7.6

affected

4.4.9 before 4.4.9.11

affected

4.4.11 before 4.4.11.9

affected

4.4.26 before 4.4.26.12

affected

4.4.32 before 4.4.32.16

affected

4.4.35 before 4.4.35.44

affected

4.5.1 before 4.5.1.43

affected

4.6.0 before 4.6.0.1990

affected

4.6.1 before 4.6.1.149

affected

4.6.2 before 4.6.2.667

affected

4.6.3 before 4.6.3.36

affected

4.6.4 before 4.6.4.14

affected

4.7.1 before 4.7.1.68

affected

4.8.1 before 4.8.1.39

affected

4.9.0 before 4.9.0.99

affected

4.9.26 before 4.9.26.25

affected

4.9.27 before 4.9.27.10

affected

4.9.28 before 4.9.28.11

affected

4.10.9 before 4.10.9.66

affected

4.10.42 before 4.10.42.9

affected

4.9 before 4.9.29

affected

4.10 before 4.10.94

affected

Default status

unknown

5.1.1 before 5.1.1.1

affected

5.1.2 before 5.1.2.1

affected

5.1.5 before 5.1.5.1

affected

5.3.3 before 5.3.3.1

affected

5.4.0 before 5.4.0.4

affected

5.4.1 before 5.4.1.5

affected

5.6.0 before 5.6.0.1

affected

5.6.21

unaffected

Credits

crnković reporter

References

security.docs.wso2.com/...ty-advisories/2025/WSO2-2025-4503/ vendor-advisory

cve.org (CVE-2025-9804)

nvd.nist.gov (CVE-2025-9804)

Download JSON