CVE-2025-9804 - Vulnerability Details

CVE-2025-9804 - Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs

An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

No data.

References

Link	Providers
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/

History

Thu, 16 Oct 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 16 Oct 2025 13:00:00 +0000

Type	Values Removed	Values Added
Description		An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
Title		Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs
References		https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/
Metrics		cvssV3_1 `{'score': 8.9, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}`

MITRE

Status: PUBLISHED

Assigner: WSO2

Published: 2025-10-16T12:33:45.426Z

Updated: 2025-10-16T13:21:25.991Z

Reserved: 2025-09-01T13:11:12.678Z

Link: CVE-2025-9804

Vulnrichment

Updated: 2025-10-16T13:21:20.748Z

NVD

Status : Awaiting Analysis

Published: 2025-10-16T13:15:42.130

Modified: 2025-10-16T15:28:59.610

Link: CVE-2025-9804

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object