9.6критическая
CVE-2025-9804
Описание
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.
This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
Затрагиваемое ПО
Wso2 Api control planeWso2 Api managerWso2 Api manager analyticsWso2 Data analytics serverWso2 Enterprise integratorWso2 Enterprise mobility managerWso2 Enterprise service busWso2 Identity serverWso2 Identity server analyticsWso2 Identity server as key managerWso2 Open banking amWso2 Open banking iamWso2 Open banking kmWso2 Traffic managerWso2 Universal gateway
CVSS
| Балл | 9.6 — критическая |
| Вектор | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Источники
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/