{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-9804","assignerOrgId":"ed10eef1-636d-4fbe-9993-6890dfa878f8","state":"PUBLISHED","assignerShortName":"WSO2","dateReserved":"2025-09-01T13:11:12.678Z","datePublished":"2025-10-16T12:33:45.426Z","dateUpdated":"2025-10-17T16:01:25.350Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"WSO2 Identity Server as Key Manager","vendor":"WSO2","versions":[{"lessThan":"5.3.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"5.3.0.41","status":"affected","version":"5.3.0","versionType":"custom"},{"lessThan":"5.5.0.53","status":"affected","version":"5.5.0","versionType":"custom"},{"lessThan":"5.6.0.75","status":"affected","version":"5.6.0","versionType":"custom"},{"lessThan":"5.7.0.125","status":"affected","version":"5.7.0","versionType":"custom"},{"lessThan":"5.9.0.176","status":"affected","version":"5.9.0","versionType":"custom"},{"lessThan":"5.10.0.359","status":"affected","version":"5.10.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Identity Server","vendor":"WSO2","versions":[{"lessThan":"5.2.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"5.2.0.34","status":"affected","version":"5.2.0","versionType":"custom"},{"lessThan":"5.3.0.36","status":"affected","version":"5.3.0","versionType":"custom"},{"lessThan":"5.4.0.34","status":"affected","version":"5.4.0","versionType":"custom"},{"lessThan":"5.4.1.38","status":"affected","version":"5.4.1","versionType":"custom"},{"lessThan":"5.5.0.52","status":"affected","version":"5.5.0","versionType":"custom"},{"lessThan":"5.6.0.60","status":"affected","version":"5.6.0","versionType":"custom"},{"lessThan":"5.7.0.126","status":"affected","version":"5.7.0","versionType":"custom"},{"lessThan":"5.8.0.110","status":"affected","version":"5.8.0","versionType":"custom"},{"lessThan":"5.9.0.169","status":"affected","version":"5.9.0","versionType":"custom"},{"lessThan":"5.10.0.369","status":"affected","version":"5.10.0","versionType":"custom"},{"lessThan":"5.11.0.413","status":"affected","version":"5.11.0","versionType":"custom"},{"lessThan":"6.0.0.244","status":"affected","version":"6.0.0","versionType":"custom"},{"lessThan":"6.1.0.243","status":"affected","version":"6.1.0","versionType":"custom"},{"lessThan":"7.0.0.118","status":"affected","version":"7.0.0","versionType":"custom"},{"lessThan":"7.1.0.25","status":"affected","version":"7.1.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Open Banking KM","vendor":"WSO2","versions":[{"lessThan":"1.4.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"1.4.0.133","status":"affected","version":"1.4.0","versionType":"custom"},{"lessThan":"1.5.0.123","status":"affected","version":"1.5.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Open Banking IAM","vendor":"WSO2","versions":[{"lessThan":"2.0.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"2.0.0.409","status":"affected","version":"2.0.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Open Banking AM","vendor":"WSO2","versions":[{"lessThan":"1.4.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"1.4.0.139","status":"affected","version":"1.4.0","versionType":"custom"},{"lessThan":"1.5.0.140","status":"affected","version":"1.5.0","versionType":"custom"},{"lessThan":"2.0.0.389","status":"affected","version":"2.0.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 API Manager","vendor":"WSO2","versions":[{"lessThan":"2.0.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"2.0.0.31","status":"affected","version":"2.0.0","versionType":"custom"},{"lessThan":"2.1.0.40","status":"affected","version":"2.1.0","versionType":"custom"},{"lessThan":"2.2.0.59","status":"affected","version":"2.2.0","versionType":"custom"},{"lessThan":"2.5.0.85","status":"affected","version":"2.5.0","versionType":"custom"},{"lessThan":"2.6.0.146","status":"affected","version":"2.6.0","versionType":"custom"},{"lessThan":"3.0.0.176","status":"affected","version":"3.0.0","versionType":"custom"},{"lessThan":"3.1.0.340","status":"affected","version":"3.1.0","versionType":"custom"},{"lessThan":"3.2.0.441","status":"affected","version":"3.2.0","versionType":"custom"},{"lessThan":"3.2.1.61","status":"affected","version":"3.2.1","versionType":"custom"},{"lessThan":"4.0.0.361","status":"affected","version":"4.0.0","versionType":"custom"},{"lessThan":"4.1.0.224","status":"affected","version":"4.1.0","versionType":"custom"},{"lessThan":"4.2.0.162","status":"affected","version":"4.2.0","versionType":"custom"},{"lessThan":"4.3.0.75","status":"affected","version":"4.3.0","versionType":"custom"},{"lessThan":"4.4.0.39","status":"affected","version":"4.4.0","versionType":"custom"},{"lessThan":"4.5.0.23","status":"affected","version":"4.5.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Identity Server Analytics","vendor":"WSO2","versions":[{"lessThan":"5.2.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"5.2.0.19","status":"affected","version":"5.2.0","versionType":"custom"},{"lessThan":"5.3.0.17","status":"affected","version":"5.3.0","versionType":"custom"},{"lessThan":"5.5.0.31","status":"affected","version":"5.5.0","versionType":"custom"},{"lessThan":"5.6.0.38","status":"affected","version":"5.6.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"API Manager Analytics","vendor":"WSO2","versions":[{"lessThan":"2.0.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"2.0.0.14","status":"affected","version":"2.0.0","versionType":"custom"},{"lessThan":"2.1.0.19","status":"affected","version":"2.1.0","versionType":"custom"},{"lessThan":"2.2.0.30","status":"affected","version":"2.2.0","versionType":"custom"},{"lessThan":"2.5.0.39","status":"affected","version":"2.5.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Enterprise Integrator","vendor":"WSO2","versions":[{"lessThan":"6.2.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"6.2.0.62","status":"affected","version":"6.2.0","versionType":"custom"},{"lessThan":"6.3.0.70","status":"affected","version":"6.3.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Enterprise Service Bus Analytics","vendor":"WSO2","versions":[{"lessThan":"5.0.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"5.0.0.13","status":"affected","version":"5.0.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Data Analytics Server","vendor":"WSO2","versions":[{"lessThan":"3.1.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"3.1.0.20","status":"affected","version":"3.1.0","versionType":"custom"},{"lessThan":"3.2.0.33","status":"affected","version":"3.2.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Enterprise Mobility Manager","vendor":"WSO2","versions":[{"lessThan":"2.2.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"2.2.0.28","status":"affected","version":"2.2.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Universal Gateway","vendor":"WSO2","versions":[{"lessThan":"4.5.0.22","status":"affected","version":"4.5.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 API Control Plane","vendor":"WSO2","versions":[{"lessThan":"4.5.0.24","status":"affected","version":"4.5.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Traffic Manager","vendor":"WSO2","versions":[{"lessThan":"4.5.0.22","status":"affected","version":"4.5.0","versionType":"custom"}]},{"defaultStatus":"unknown","packageName":"org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector","product":"org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector","vendor":"WSO2","versions":[{"lessThan":"2.0.10.1","status":"affected","version":"2.0.10","versionType":"custom"},{"lessThan":"2.0.15.1","status":"affected","version":"2.0.15","versionType":"custom"},{"lessThan":"2.0.21.1","status":"affected","version":"2.0.21","versionType":"custom"},{"lessThan":"2.0.22.1","status":"affected","version":"2.0.22","versionType":"custom"},{"lessThan":"2.1.12.1","status":"affected","version":"2.1.12","versionType":"custom"},{"lessThan":"2.1.1972","status":"affected","version":"2.1","versionType":"custom"},{"lessThan":"2.2.24","status":"affected","version":"2.2","versionType":"custom"},{"lessThan":"2.2.25","status":"affected","version":"2.2","versionType":"custom"},{"lessThan":"3.1.0.74","status":"affected","version":"3.1.0","versionType":"custom"},{"lessThan":"3.3.6.7","status":"affected","version":"3.3.6","versionType":"custom"},{"lessThan":"3.3.26.2","status":"affected","version":"3.3.26","versionType":"custom"},{"lessThan":"3.3.35.1","status":"affected","version":"3.3.35","versionType":"custom"},{"lessThanOrEqual":"*","status":"unaffected","version":"3.3.41","versionType":"custom"}]},{"defaultStatus":"unknown","packageName":"org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util","product":"org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util","vendor":"WSO2","versions":[{"lessThan":"6.7.206.567","status":"affected","version":"6.7.206","versionType":"custom"},{"lessThan":"6.7.210.63","status":"affected","version":"6.7.210","versionType":"custom"},{"lessThan":"9.0.174.522","status":"affected","version":"9.0.174","versionType":"custom"},{"lessThan":"9.20.74.379","status":"affected","version":"9.20.74","versionType":"custom"},{"lessThan":"9.28.116.360","status":"affected","version":"9.28.116","versionType":"custom"},{"lessThan":"9.29.120.184","status":"affected","version":"9.29.120","versionType":"custom"},{"lessThan":"9.30.67.109","status":"affected","version":"9.30.67","versionType":"custom"},{"lessThan":"9.31.86.71","status":"affected","version":"9.31.86","versionType":"custom"},{"lessThanOrEqual":"*","status":"unaffected","version":"9.32.133","versionType":"custom"}]},{"defaultStatus":"unknown","packageName":"org.wso2.carbon:org.wso2.carbon.base","product":"org.wso2.carbon:org.wso2.carbon.base","vendor":"WSO2","versions":[{"lessThan":"4.4.7.6","status":"affected","version":"4.4.7","versionType":"custom"},{"lessThan":"4.4.9.11","status":"affected","version":"4.4.9","versionType":"custom"},{"lessThan":"4.4.11.9","status":"affected","version":"4.4.11","versionType":"custom"},{"lessThan":"4.4.26.12","status":"affected","version":"4.4.26","versionType":"custom"},{"lessThan":"4.4.35.44","status":"affected","version":"4.4.35","versionType":"custom"},{"lessThan":"4.5.1.43","status":"affected","version":"4.5.1","versionType":"custom"},{"lessThan":"4.6.0.1990","status":"affected","version":"4.6.0","versionType":"custom"},{"lessThan":"4.6.1.149","status":"affected","version":"4.6.1","versionType":"custom"},{"lessThan":"4.6.2.667","status":"affected","version":"4.6.2","versionType":"custom"},{"lessThan":"4.6.3.36","status":"affected","version":"4.6.3","versionType":"custom"},{"lessThan":"4.6.4.14","status":"affected","version":"4.6.4","versionType":"custom"},{"lessThan":"4.7.1.68","status":"affected","version":"4.7.1","versionType":"custom"},{"lessThan":"4.8.1.39","status":"affected","version":"4.8.1","versionType":"custom"},{"lessThan":"4.9.0.99","status":"affected","version":"4.9.0","versionType":"custom"},{"lessThan":"4.9.26.25","status":"affected","version":"4.9.26","versionType":"custom"},{"lessThan":"4.9.27.10","status":"affected","version":"4.9.27","versionType":"custom"},{"lessThan":"4.9.28.11","status":"affected","version":"4.9.28","versionType":"custom"},{"lessThan":"4.10.9.66","status":"affected","version":"4.10.9","versionType":"custom"},{"lessThan":"4.10.42.9","status":"affected","version":"4.10.42","versionType":"custom"},{"lessThan":"4.9.29","status":"affected","version":"4.9","versionType":"custom"},{"lessThan":"4.10.94","status":"affected","version":"4.10","versionType":"custom"}]},{"defaultStatus":"unknown","packageName":"org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt","product":"org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt","vendor":"WSO2","versions":[{"lessThan":"5.2.0.4","status":"affected","version":"5.2.0","versionType":"custom"},{"lessThan":"5.2.2.21","status":"affected","version":"5.2.2","versionType":"custom"},{"lessThan":"5.7.5.18","status":"affected","version":"5.7.5","versionType":"custom"},{"lessThan":"5.11.148.19","status":"affected","version":"5.11.148","versionType":"custom"},{"lessThan":"5.11.256.21","status":"affected","version":"5.11.256","versionType":"custom"},{"lessThan":"5.12.153.63","status":"affected","version":"5.12.153","versionType":"custom"},{"lessThan":"5.12.387.46","status":"affected","version":"5.12.387","versionType":"custom"},{"lessThan":"5.14.97.89","status":"affected","version":"5.14.97","versionType":"custom"},{"lessThan":"5.17.5.317","status":"affected","version":"5.17.5","versionType":"custom"},{"lessThan":"5.17.118.17","status":"affected","version":"5.17.118","versionType":"custom"},{"lessThan":"5.18.187.309","status":"affected","version":"5.18.187","versionType":"custom"},{"lessThan":"5.18.248.30","status":"affected","version":"5.18.248","versionType":"custom"},{"lessThan":"5.23.8.207","status":"affected","version":"5.23.8","versionType":"custom"},{"lessThan":"5.24.8.23","status":"affected","version":"5.24.8","versionType":"custom"},{"lessThan":"5.25.92.152","status":"affected","version":"5.25.92","versionType":"custom"},{"lessThan":"5.25.705.19","status":"affected","version":"5.25.705","versionType":"custom"},{"lessThan":"5.25.713.9","status":"affected","version":"5.25.713","versionType":"custom"},{"lessThan":"5.25.724.3","status":"affected","version":"5.25.724","versionType":"custom"},{"lessThan":"7.0.78.133","status":"affected","version":"7.0.78","versionType":"custom"},{"lessThan":"7.8.23.47","status":"affected","version":"7.8.23","versionType":"custom"},{"lessThan":"5.25.734","status":"affected","version":"5.25","versionType":"custom"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.8.489","versionType":"custom"}]},{"defaultStatus":"unknown","packageName":"org.wso2.carbon:org.wso2.carbon.server.admin","product":"org.wso2.carbon:org.wso2.carbon.server.admin","vendor":"WSO2","versions":[{"lessThan":"4.4.7.6","status":"affected","version":"4.4.7","versionType":"custom"},{"lessThan":"4.4.9.11","status":"affected","version":"4.4.9","versionType":"custom"},{"lessThan":"4.4.11.9","status":"affected","version":"4.4.11","versionType":"custom"},{"lessThan":"4.4.26.12","status":"affected","version":"4.4.26","versionType":"custom"},{"lessThan":"4.4.32.16","status":"affected","version":"4.4.32","versionType":"custom"},{"lessThan":"4.4.35.44","status":"affected","version":"4.4.35","versionType":"custom"},{"lessThan":"4.5.1.43","status":"affected","version":"4.5.1","versionType":"custom"},{"lessThan":"4.6.0.1990","status":"affected","version":"4.6.0","versionType":"custom"},{"lessThan":"4.6.1.149","status":"affected","version":"4.6.1","versionType":"custom"},{"lessThan":"4.6.2.667","status":"affected","version":"4.6.2","versionType":"custom"},{"lessThan":"4.6.3.36","status":"affected","version":"4.6.3","versionType":"custom"},{"lessThan":"4.6.4.14","status":"affected","version":"4.6.4","versionType":"custom"},{"lessThan":"4.7.1.68","status":"affected","version":"4.7.1","versionType":"custom"},{"lessThan":"4.8.1.39","status":"affected","version":"4.8.1","versionType":"custom"},{"lessThan":"4.9.0.99","status":"affected","version":"4.9.0","versionType":"custom"},{"lessThan":"4.9.26.25","status":"affected","version":"4.9.26","versionType":"custom"},{"lessThan":"4.9.27.10","status":"affected","version":"4.9.27","versionType":"custom"},{"lessThan":"4.9.28.11","status":"affected","version":"4.9.28","versionType":"custom"},{"lessThan":"4.10.9.66","status":"affected","version":"4.10.9","versionType":"custom"},{"lessThan":"4.10.42.9","status":"affected","version":"4.10.42","versionType":"custom"},{"lessThan":"4.9.29","status":"affected","version":"4.9","versionType":"custom"},{"lessThan":"4.10.94","status":"affected","version":"4.10","versionType":"custom"}]},{"defaultStatus":"unknown","packageName":"org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow","product":"org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow","vendor":"WSO2","versions":[{"lessThan":"5.1.1.1","status":"affected","version":"5.1.1","versionType":"custom"},{"lessThan":"5.1.2.1","status":"affected","version":"5.1.2","versionType":"custom"},{"lessThan":"5.1.5.1","status":"affected","version":"5.1.5","versionType":"custom"},{"lessThan":"5.3.3.1","status":"affected","version":"5.3.3","versionType":"custom"},{"lessThan":"5.4.0.4","status":"affected","version":"5.4.0","versionType":"custom"},{"lessThan":"5.4.1.5","status":"affected","version":"5.4.1","versionType":"custom"},{"lessThan":"5.6.0.1","status":"affected","version":"5.6.0","versionType":"custom"},{"lessThanOrEqual":"*","status":"unaffected","version":"5.6.21","versionType":"custom"}]}],"credits":[{"lang":"en","type":"reporter","value":"crnković"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.
This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
"}],"value":"An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.\n\nThis vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":9.6,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"For WSO2 API Manager"}]},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"LOW","baseScore":8.9,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"For WSO2 Identity Server"}]}],"providerMetadata":{"orgId":"ed10eef1-636d-4fbe-9993-6890dfa878f8","shortName":"WSO2","dateUpdated":"2025-10-16T12:33:45.426Z"},"references":[{"tags":["vendor-advisory"],"url":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution
"}],"value":"Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution"}],"source":{"advisory":"WSO2-2025-4503","discovery":"EXTERNAL"},"title":"Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-284","lang":"en","description":"CWE-284 Improper Access Control"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-10-16T13:20:20.582589Z","id":"CVE-2025-9804","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-17T16:01:25.350Z"}}]}}