WSO2 Fixes Two Critical Access Control Vulnerabilities (CVE-2025-9804, CVE-2025-10611) Affecting API Manager and Identity Server

The WSO2 project has released urgent security advisories addressing two critical access control vulnerabilities—CVE-2025-9804 and CVE-2025-10611—that affect multiple enterprise products, including API Manager, Identity Server, and Open Banking solutions. Both vulnerabilities could allow attackers to bypass authentication and perform unauthorized administrative operations, putting enterprise API gateways and identity infrastructures at risk.

Tracked as CVE-2025-9804 with a CVSS score of 9.6 (Critical), this vulnerability stems from improper access control across SOAP Admin Services and System REST APIs in several WSO2 components.

According to the advisory, “Due to improper permissions set in certain SOAP Admin Services and System REST APIs, a user with low privileges can perform unauthorized actions, including accessing certain server-level information.”

The issue affects a broad range of WSO2 products, including:

• API Manager (versions 2.0.0 through 4.5.0)
• Identity Server (versions 5.2.0 through 7.1.0)

API Control Plane, Data Analytics Server, Enterprise Integrator, Universal Gateway, and others.

The vulnerability allows attackers with limited permissions to escalate privileges or extract sensitive configuration data from backend servers. WSO2 explains: “Successful exploitation of this vulnerability could allow a malicious actor to perform unauthorized operations on the affected product.”

The second flaw, CVE-2025-10611 (CVSS 9.8 – Critical), involves broken authentication and authorization validation in System REST APIs.

As WSO2 describes, “Due to an insufficient access control implementation, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation.”

This vulnerability could allow attackers to gain administrative access without valid credentials.

“Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.”

Affected products include:

• WSO2 API Manager (2.1.0–4.5.0)
• WSO2 Identity Server (5.3.0–7.1.0)
• WSO2 Identity Server as Key Manager (5.3.0–5.10.0)
• WSO2 Open Banking AM and IAM (1.4.0–2.0.0)
• WSO2 Traffic Manager and Universal Gateway (4.5.0)

Despite the critical nature of these vulnerabilities, WSO2 clarified that they do not affect APIs deployed through the API Gateway. The advisory notes, “Any APIs created and exposed through the WSO2 API Manager’s API Gateway remain unaffected.”

WSO2 has provided fixes for both open-source and commercial users.

Related Posts:

• API Security in 2025: Top Best Practices Every Security Team Must Know
• Critical WSO2 Flaw: Unauthenticated Account Takeover Risk (CVSS 9.8)
• CVE-2025-2905 (CVSS 9.1): Critical XXE Vulnerability Found in WSO2 API Manager
• WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
• Spring Data REST exists serious flaw that allows remote attackers to execute arbitrary commands