A
n improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
References
| Link | Resource |
|---|---|
| https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/ | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2025, 21:40
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Wso2 data Analytics Server
Wso2 enterprise Integrator Wso2 traffic Manager Wso2 identity Server As Key Manager Wso2 api Manager Analytics Wso2 open Banking Km Wso2 enterprise Mobility Manager Wso2 api Manager Wso2 identity Server Analytics Wso2 Wso2 identity Server Wso2 open Banking Am Wso2 api Control Plane Wso2 enterprise Service Bus Wso2 universal Gateway Wso2 open Banking Iam |
|
| References | () https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/ - Vendor Advisory | |
| CPE | cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:* cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:5.4.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server_analytics:5.3.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server_analytics:5.6.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:* cpe:2.3:a:wso2:open_banking_am:1.4.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:enterprise_integrator:6.2.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:7.0.0:-:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:5.3.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:7.1.0:-:*:*:*:*:*:* cpe:2.3:a:wso2:open_banking_km:1.5.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server_as_key_manager:5.3.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:open_banking_am:1.5.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:5.2.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:enterprise_integrator:6.3.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:enterprise_mobility_manager:2.2.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager_analytics:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:data_analytics_server:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server_analytics:5.2.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:* cpe:2.3:a:wso2:enterprise_service_bus:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:open_banking_km:1.4.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:data_analytics_server:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:2.5.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:5.4.1:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager_analytics:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:* |
17 Oct 2025, 16:15
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-284 |
16 Oct 2025, 13:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-10-16 13:15
Updated : 2025-11-21 21:40
NVD link : CVE-2025-9804
Mitre link : CVE-2025-9804
CVE.ORG link : CVE-2025-9804
JSON object : View
Products Affected
- open_banking_am
- enterprise_mobility_manager
- open_banking_km
- api_control_plane
- identity_server_as_key_manager
- universal_gateway
- api_manager
- enterprise_integrator
- identity_server_analytics
- open_banking_iam
- api_manager_analytics
- identity_server
- data_analytics_server
- traffic_manager
- enterprise_service_bus
CWE
CWE-284
Improper Access Control