cbcvebase.
CVE-2024-7097
published 2025-05-30

CVE-2024-7097: An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation…

PriorityP276medium4.3CVSS 3.1
AVAACLPRNUINSUCNILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.54%
41.3th percentile
An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization. Exploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system resource exhaustion through mass user creation.

Affected

79 ranges· showing 25
VendorProductVersion rangeFixed in
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server

Detection & IOCsextracted from sources · hover to see the quote

url/services/UserRegistrationAdminService.UserRegistrationAdminServiceHttpsSoap11Endpoint/
url/services/AuthenticationAdmin
otherSOAPAction: "urn:addUser"
otherloginResponse
  • Detect unauthenticated POST requests to the WSO2 SOAP user registration endpoint targeting 'urn:addUser' action, which indicates exploitation of arbitrary account creation.
  • A successful exploit results in an HTTP 202 response from the UserRegistrationAdminService endpoint, followed by a successful login response ('loginResponse' + 'true') from /services/AuthenticationAdmin — monitor for this two-step sequence from unauthenticated sources.
  • Shodan-exposed WSO2 Carbon Server instances are targeted; monitor internet-facing WSO2 deployments for unexpected SOAP calls to UserRegistrationAdminService.
  • Mass user creation via repeated SOAP calls to the registration endpoint can indicate resource exhaustion abuse; alert on high-frequency POST requests to /services/UserRegistrationAdminService.*.
  • ·The vulnerability bypasses self-registration configuration settings entirely — disabling self-registration in WSO2 admin settings does NOT prevent exploitation via the SOAP admin service endpoint.
  • ·The exploit is a two-step flow: step 1 creates the user via UserRegistrationAdminService (expects HTTP 202), step 2 authenticates via AuthenticationAdmin to confirm account creation (expects 'loginResponse' + 'true'). Both steps must be blocked/monitored.

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vulncheck4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.