Vulnerability Description
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wso2 | Api Control Plane | 4.5.0 |
| Wso2 | Api Manager | 2.0.0 |
| Wso2 | Api Manager Analytics | 2.0.0 |
| Wso2 | Data Analytics Server | 3.1.0 |
| Wso2 | Enterprise Integrator | 6.2.0 |
| Wso2 | Enterprise Mobility Manager | 2.2.0 |
| Wso2 | Enterprise Service Bus | 5.0.0 |
| Wso2 | Identity Server | 5.2.0 |
| Wso2 | Identity Server Analytics | 5.2.0 |
| Wso2 | Identity Server As Key Manager | 5.3.0 |
| Wso2 | Open Banking Am | 1.4.0 |
| Wso2 | Open Banking Iam | 2.0.0 |
| Wso2 | Open Banking Km | 1.4.0 |
| Wso2 | Traffic Manager | 4.5.0 |
| Wso2 | Universal Gateway | 4.5.0 |
Related Weaknesses (CWE)
References
FAQ
What is CVE-2025-9804?
CVE-2025-9804 is a vulnerability with a CVSS score of 9.6 (CRITICAL). An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user...
How severe is CVE-2025-9804?
CVE-2025-9804 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-9804?
Check the references section above for vendor advisories and patch information. Affected products include: Wso2 Api Control Plane, Wso2 Api Manager, Wso2 Api Manager Analytics, Wso2 Data Analytics Server, Wso2 Enterprise Integrator.