CVE-2024-7097
published 2025-05-30CVE-2024-7097: An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation…
PriorityP276medium4.3CVSS 3.1
AVAACLPRNUINSUCNILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.54%
41.3th percentile
An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization.
Exploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system resource exhaustion through mass user creation.
Affected
79 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to the WSO2 SOAP user registration endpoint targeting 'urn:addUser' action, which indicates exploitation of arbitrary account creation. ↗
- →A successful exploit results in an HTTP 202 response from the UserRegistrationAdminService endpoint, followed by a successful login response ('loginResponse' + 'true') from /services/AuthenticationAdmin — monitor for this two-step sequence from unauthenticated sources. ↗
- →Shodan-exposed WSO2 Carbon Server instances are targeted; monitor internet-facing WSO2 deployments for unexpected SOAP calls to UserRegistrationAdminService. ↗
- →Mass user creation via repeated SOAP calls to the registration endpoint can indicate resource exhaustion abuse; alert on high-frequency POST requests to /services/UserRegistrationAdminService.*. ↗
- ·The vulnerability bypasses self-registration configuration settings entirely — disabling self-registration in WSO2 admin settings does NOT prevent exploitation via the SOAP admin service endpoint. ↗
- ·The exploit is a two-step flow: step 1 creates the user via UserRegistrationAdminService (expects HTTP 202), step 2 authenticates via AuthenticationAdmin to confirm account creation (expects 'loginResponse' + 'true'). Both steps must be blocked/monitored. ↗
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vulncheck4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2vx2-pv2m-vwrq: An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation
ghsa_unreviewed·2025-05-30
CVE-2024-7097 [MEDIUM] CWE-863 GHSA-2vx2-pv2m-vwrq: An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation
An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization.
Exploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system resource exhaustion through mass user creation.
VulnCheck
WSO2 User Registration Arbitrary Account Creation
vulncheck·2024·CVSS 4.3
CVE-2024-7097 [MEDIUM] WSO2 User Registration Arbitrary Account Creation
WSO2 User Registration Arbitrary Account Creation
The SOAP admin service in WSO2 products has a security vulnerability that allows the creation of new user accounts regardless of the self-registration configuration settings.
Affected: WSO2 WSO2 API Manager, WSO2 Identity Server, WSO2 Identity Server as Key Manager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-02-02&host_type=src&vulnerability=cve-2024-7097; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-02-03&host_type=src&vulnerability=cve-2024-7097; https://dashboard.shadowserver.org/
No detection rules found.
Nuclei
WSO2 User Registration - Arbitrary Account Creation
nuclei·CVSS 4.3
CVE-2024-7097 [MEDIUM] WSO2 User Registration - Arbitrary Account Creation
WSO2 User Registration - Arbitrary Account Creation
The SOAP admin service in WSO2 products has a security vulnerability that allows the creation of new user accounts regardless of the self-registration configuration settings.
Template:
id: CVE-2024-7097
info:
name: WSO2 User Registration - Arbitrary Account Creation
author: iamnoooob,rootxharsh,pdresearch
severity: medium
description: |
The SOAP admin service in WSO2 products has a security vulnerability that allows the creation of new user accounts regardless of the self-registration configuration settings.
impact: |
Unauthenticated attackers can bypass self-registration restrictions to create arbitrary user accounts, potentially gaining unauthorized access to the WSO2 system and its resources.
remediation: |
Apply security patches f
No writeups or analysis indexed.
2025-05-30
Published
Exploited in the wild