CRITICAL🇵🇱 Wersja polska

CVE-2025-10611

CVSS 9.8v3.1pub. 2025-10-16upd. 2025-11-21

Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.

🤖 AI Analysis
How it works

The vulnerability consists of insufficient access control implementation (CWE-863 – improper authorization) in the REST API request handling layer. An attacker can invoke protected API endpoints without providing valid authentication credentials or possessing required permissions. Requests directed to these APIs do not undergo proper identity validation and permission level checks, resulting in full access to administrative operations.

Impact

An attacker without any privileges can gain administrative access to the system and perform unauthorized management operations, including potentially modifying configuration, managing users, and controlling critical identity platform and open banking functions.

Mitigation & patch

Security patches available from the vendor must be applied according to the references — detailed information about patched versions is contained in the official WSO2 security bulletin at: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/

Who is affected

WSO2 Open Banking AM, WSO2 Open Banking KM, WSO2 Traffic Manager, WSO2 Open Banking IAM, WSO2 Identity Server — versions specified in vendor references (advisory WSO2-2025-4585)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Wso2 Api Control Plane

    APP
    Wso2
    4.5.0
  • Wso2 Api Manager

    APP
    Wso2
    2.1.02.2.02.5.02.6.03.0.03.1.03.2.03.2.14.0.04.1.04.2.04.3.04.4.04.5.0
  • Wso2 Identity Server

    APP
    Wso2
    5.10.05.11.05.3.05.5.05.6.05.7.05.8.05.9.06.0.06.1.07.0.07.1.0
  • Wso2 Identity Server As Key Manager

    APP
    Wso2
    5.10.05.3.05.5.05.6.05.7.05.9.0
  • Wso2 Open Banking Am

    APP
    Wso2
    1.4.01.5.02.0.0
  • Wso2 Open Banking Iam

    APP
    Wso2
    2.0.0
  • Wso2 Open Banking Km

    APP
    Wso2
    1.4.01.5.0
  • Wso2 Traffic Manager

    APP
    Wso2
    4.5.0
  • Wso2 Universal Gateway

    APP
    Wso2
    4.5.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2022-29464CRITICAL9.8⚠ KEVten sam produkt

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must u...

CVE-2025-13590CRITICAL9.1PL ✓ten sam produkt

WSO2 API Manager – RCE przez upload pliku z uprawnieniami administratora

CVE-2025-9312CRITICAL9.8PL ✓ten sam produkt

Brak wymuszania uwierzytelniania mTLS w produktach WSO2 — nieautoryzowany dostęp administracyjny

CVE-2025-9152CRITICAL9.8PL ✓ten sam produkt

WSO2 API Manager — brak uwierzytelniania w endpoincie DCR umożliwia eskalację uprawnień

CVE-2025-9804CRITICAL9.6PL ✓ten sam produkt

Nieprawidłowa kontrola dostępu w wewnętrznych API WSO2 (SOAP/REST)

CVE-2025-10611 — Wso2 — Api Control Plane — CRITICAL — CVSS 9.8 | CVEbaza.pl