{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-8325","assignerOrgId":"ed10eef1-636d-4fbe-9993-6890dfa878f8","state":"PUBLISHED","assignerShortName":"WSO2","dateReserved":"2025-07-30T06:56:38.447Z","datePublished":"2026-05-11T09:37:16.152Z","dateUpdated":"2026-05-11T12:41:26.715Z"},"containers":{"cna":{"providerMetadata":{"orgId":"ed10eef1-636d-4fbe-9993-6890dfa878f8","shortName":"WSO2","dateUpdated":"2026-05-11T09:37:16.152Z"},"title":"Improper Access Control via Gateway API in Multiple WSO2 Products Allows Unauthorized Operations","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-281","description":"CWE-281: Assigning Permissions Instead of Checking Them","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-558","descriptions":[{"lang":"en","value":"CAPEC-558 CAPEC-558: Privilege Escalation"}]}],"affected":[{"vendor":"WSO2","product":"WSO2 API Control Plane","versions":[{"status":"affected","version":"4.5.0","lessThan":"4.5.0.18","versionType":"custom"}],"defaultStatus":"unaffected"},{"vendor":"WSO2","product":"WSO2 Universal Gateway","versions":[{"status":"affected","version":"4.5.0","lessThan":"4.5.0.17","versionType":"custom"}],"defaultStatus":"unaffected"},{"vendor":"WSO2","product":"WSO2 Traffic Manager","versions":[{"status":"affected","version":"4.5.0","lessThan":"4.5.0.17","versionType":"custom"}],"defaultStatus":"unaffected"},{"vendor":"WSO2","product":"WSO2 API Manager","versions":[{"status":"unknown","version":"0","lessThan":"3.2.0","versionType":"custom"},{"status":"affected","version":"3.2.0","lessThan":"3.2.0.435","versionType":"custom"},{"status":"affected","version":"3.2.1","lessThan":"3.2.1.55","versionType":"custom"},{"status":"affected","version":"4.0.0","lessThan":"4.0.0.355","versionType":"custom"},{"status":"affected","version":"4.1.0","lessThan":"4.1.0.219","versionType":"custom"},{"status":"affected","version":"4.2.0","lessThan":"4.2.0.157","versionType":"custom"},{"status":"affected","version":"4.3.0","lessThan":"4.3.0.70","versionType":"custom"},{"status":"affected","version":"4.4.0","lessThan":"4.4.0.33","versionType":"custom"},{"status":"affected","version":"4.5.0","lessThan":"4.5.0.17","versionType":"custom"}],"defaultStatus":"unaffected"},{"vendor":"WSO2","product":"WSO2 Carbon API Management Implementation","packageName":"org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl","versions":[{"status":"affected","version":"6.7.206","lessThan":"6.7.206.563","versionType":"custom"},{"status":"affected","version":"6.7.210","lessThan":"6.7.210.55","versionType":"custom"},{"status":"affected","version":"9.0.174","lessThan":"9.0.174.513","versionType":"custom"},{"status":"affected","version":"9.20.74","lessThan":"9.20.74.375","versionType":"custom"},{"status":"affected","version":"9.28.116","lessThan":"9.28.116.352","versionType":"custom"},{"status":"affected","version":"9.29.120","lessThan":"9.29.120.177","versionType":"custom"},{"status":"affected","version":"9.30.67","lessThan":"9.30.67.100","versionType":"custom"},{"status":"affected","version":"9.31.86","lessThan":"9.31.86.58","versionType":"custom"},{"status":"unaffected","version":"9.32.75","lessThanOrEqual":"*","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"WSO2","product":"WSO2 Carbon API Manager Rest API Utility","packageName":"org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util","versions":[{"status":"affected","version":"6.7.206","lessThan":"6.7.206.563","versionType":"custom"},{"status":"affected","version":"6.7.210","lessThan":"6.7.210.55","versionType":"custom"},{"status":"affected","version":"9.0.174","lessThan":"9.0.174.513","versionType":"custom"},{"status":"affected","version":"9.20.74","lessThan":"9.20.74.375","versionType":"custom"},{"status":"affected","version":"9.28.116","lessThan":"9.28.116.352","versionType":"custom"},{"status":"affected","version":"9.29.120","lessThan":"9.29.120.177","versionType":"custom"},{"status":"affected","version":"9.30.67","lessThan":"9.30.67.100","versionType":"custom"},{"status":"affected","version":"9.31.86","lessThan":"9.31.86.58","versionType":"custom"},{"status":"unaffected","version":"9.32.75","lessThanOrEqual":"*","versionType":"custom"}],"defaultStatus":"unknown"}],"cpeApplicability":[{"operator":"OR","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5.0","versionEndExcluding":"4.5.0.18"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5.0","versionEndExcluding":"4.5.0.17"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5.0","versionEndExcluding":"4.5.0.17"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2.0","versionEndExcluding":"3.2.0.435"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2.1","versionEndExcluding":"3.2.1.55"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.0.0.355"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1.0","versionEndExcluding":"4.1.0.219"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2.0","versionEndExcluding":"4.2.0.157"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3.0","versionEndExcluding":"4.3.0.70"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4.0","versionEndExcluding":"4.4.0.33"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5.0","versionEndExcluding":"4.5.0.17"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7.206","versionEndExcluding":"6.7.206.563"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7.210","versionEndExcluding":"6.7.210.55"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0.174","versionEndExcluding":"9.0.174.513"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*","versionStartIncluding":"9.20.74","versionEndExcluding":"9.20.74.375"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*","versionStartIncluding":"9.28.116","versionEndExcluding":"9.28.116.352"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*","versionStartIncluding":"9.29.120","versionEndExcluding":"9.29.120.177"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*","versionStartIncluding":"9.30.67","versionEndExcluding":"9.30.67.100"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*","versionStartIncluding":"9.31.86","versionEndExcluding":"9.31.86.58"},{"vulnerable":false,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*","versionStartIncluding":"9.32.75","versionEndIncluding":"*"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_manager_rest_api_utility:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7.206","versionEndExcluding":"6.7.206.563"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_manager_rest_api_utility:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7.210","versionEndExcluding":"6.7.210.55"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_manager_rest_api_utility:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0.174","versionEndExcluding":"9.0.174.513"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_manager_rest_api_utility:*:*:*:*:*:*:*:*","versionStartIncluding":"9.20.74","versionEndExcluding":"9.20.74.375"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_manager_rest_api_utility:*:*:*:*:*:*:*:*","versionStartIncluding":"9.28.116","versionEndExcluding":"9.28.116.352"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_manager_rest_api_utility:*:*:*:*:*:*:*:*","versionStartIncluding":"9.29.120","versionEndExcluding":"9.29.120.177"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_manager_rest_api_utility:*:*:*:*:*:*:*:*","versionStartIncluding":"9.30.67","versionEndExcluding":"9.30.67.100"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_manager_rest_api_utility:*:*:*:*:*:*:*:*","versionStartIncluding":"9.31.86","versionEndExcluding":"9.31.86.58"},{"vulnerable":false,"criteria":"cpe:2.3:a:wso2:wso2_carbon_api_manager_rest_api_utility:*:*:*:*:*:*:*:*","versionStartIncluding":"9.32.75","versionEndIncluding":"*"}]}]}],"descriptions":[{"lang":"en","value":"The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions.\n\nA malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could lead to unintended behavior or misuse, particularly in production environments.","supportingMedia":[{"type":"text/html","base64":false,"value":"The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions.\n\nA malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could lead to unintended behavior or misuse, particularly in production environments."}]}],"references":[{"url":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4401/","tags":["vendor-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW","baseSeverity":"MEDIUM","baseScore":6.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}],"solutions":[{"lang":"en","value":"Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4401/#solution","supportingMedia":[{"type":"text/html","base64":false,"value":"<span style=\"background-color: transparent;\">Follow the instructions given on </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4401/#solution\"><span style=\"background-color: transparent;\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4401/#solution</span></a> <br>"}]}],"source":{"advisory":"WSO2-2025-4401","discovery":"INTERNAL"},"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-11T12:41:13.926378Z","id":"CVE-2025-8325","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-11T12:41:26.715Z"}}]}}