CVE-2025-9804 CRITICAL

CVE-2025-9804: Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs

Vendor Wso2
Product WSO2 Identity Server as Key Manager
Published October 16, 2025
Last update October 17, 2025

CVSS base score

9.6/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.

Key dates

02Disclosure timeline

October 16, 2025 CVE published
October 17, 2025 Record updated