CVE-2025-9804

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-9804
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.

9.6 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 6.0

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/ Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager_analytics:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager_analytics:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:data_analytics_server:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:data_analytics_server:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:enterprise_integrator:6.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:enterprise_integrator:6.3.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:enterprise_mobility_manager:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:enterprise_service_bus:5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.4.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.4.1:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:7.0.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:7.1.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_analytics:5.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_analytics:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_analytics:5.6.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_am:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_am:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_km:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_km:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*
History

21 Nov 2025, 21:40

Type Values Removed Values Added
References () https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/ - () https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/ - Vendor Advisory
CPE cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:7.1.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_analytics:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_am:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.4.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_analytics:5.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager_analytics:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_am:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:enterprise_integrator:6.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager_analytics:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:enterprise_mobility_manager:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:enterprise_integrator:6.3.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_analytics:5.6.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:7.0.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.4.1:*:*:*:*:*:*:*
cpe:2.3:a:wso2:data_analytics_server:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:data_analytics_server:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:enterprise_service_bus:5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_km:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_km:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*
First Time Wso2 enterprise Integrator
Wso2 api Manager
Wso2 data Analytics Server
Wso2 identity Server As Key Manager
Wso2 open Banking Iam
Wso2
Wso2 identity Server
Wso2 traffic Manager
Wso2 api Control Plane
Wso2 open Banking Km
Wso2 enterprise Service Bus
Wso2 enterprise Mobility Manager
Wso2 api Manager Analytics
Wso2 open Banking Am
Wso2 identity Server Analytics
Wso2 universal Gateway

17 Oct 2025, 16:15

Type Values Removed Values Added
CWE CWE-284

16 Oct 2025, 13:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-10-16 13:15

Updated : 2025-11-21 21:40

NVD link : CVE-2025-9804

Mitre link : CVE-2025-9804

CVE.ORG link : CVE-2025-9804

JSON object : View

Products Affected

wso2

  • open_banking_km
  • enterprise_service_bus
  • api_manager_analytics
  • identity_server_as_key_manager
  • open_banking_am
  • open_banking_iam
  • enterprise_integrator
  • universal_gateway
  • traffic_manager
  • data_analytics_server
  • enterprise_mobility_manager
  • api_manager
  • api_control_plane
  • identity_server_analytics
  • identity_server
CWE
CWE-284

Improper Access Control