cbcvebase.
CVE-2025-5605
published 2025-10-24

CVE-2025-5605: An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate…

PriorityP183medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.81%
52.3th percentile
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure. The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.

Affected

59 ranges· showing 25
VendorProductVersion rangeFixed in
msrccbl2_toolbox_0.0.18-9_on_cbl_mariner_2.0
wso2api_control_plane
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2enterprise_integrator
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server_as_key_manager
wso2open_banking_am
wso2open_banking_iam
wso2org.wso2.carbon_org.wso2.carbon.ui>= 4.10.42 < 4.10.42.104.10.42.10
wso2org.wso2.carbon_org.wso2.carbon.ui>= 4.10.9 < 4.10.9.684.10.9.68
wso2org.wso2.carbon_org.wso2.carbon.ui>= 4.5.3 < 4.5.3.404.5.3.40
wso2org.wso2.carbon_org.wso2.carbon.ui>= 4.6.0 < 4.6.0.12244.6.0.1224

Detection & IOCsextracted from sources · hover to see the quote

url/carbon/server-admin/memory_info.jsp;.jar
path/carbon/server-admin/memory_info.jsp;.jar
  • Detect authentication bypass attempts against WSO2 Management Console by looking for HTTP GET requests to '/carbon/server-admin/memory_info.jsp;.jar' — the semicolon-based URI manipulation is the bypass technique.
  • A successful exploitation response will contain both 'Memory Statistics' and 'Collection Usage' in the HTTP 200 response body from an unauthenticated request.
  • Use Shodan favicon hash 1398055326 to identify exposed WSO2 Management Console instances potentially vulnerable to CVE-2025-5605.
  • The bypass relies on URI path manipulation using a semicolon suffix (';.jar') appended to a JSP endpoint to circumvent authentication checks in the WSO2 Management Console.
  • ·Exploitation requires network access to the WSO2 Management Console; the vulnerability does not allow full account compromise, only partial information disclosure (memory statistics).
  • ·The known exposure is limited to memory statistics endpoints; other restricted resources may or may not be accessible depending on the specific WSO2 product and version.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck4.3MEDIUM
vendor_msrc5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.