CVE-2025-10611 CRITICAL

CVE-2025-10611: Potential Broken Access Control in Multiple WSO2 Products via System REST APIs

Vendor Wso2
Product WSO2 API Manager
Published October 16, 2025
Last update October 16, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.

Key dates

02Disclosure timeline

October 16, 2025 CVE published
October 16, 2025 Record updated