cbcvebase.
CVE-2025-9152
published 2025-10-16

CVE-2025-9152: An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.68%
47.7th percentile
An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges, potentially leading to administrative access and the ability to perform unauthorized operations.

Affected

18 ranges
VendorProductVersion rangeFixed in
wso2api_control_plane
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2wso2_api_control_plane>= 4.5.0 < 4.5.0.204.5.0.20
wso2wso2_api_manager>= 3.2.0 < 3.2.0.4373.2.0.437
wso2wso2_api_manager>= 3.2.1 < 3.2.1.573.2.1.57
wso2wso2_api_manager>= 4.0.0 < 4.0.0.3574.0.0.357
wso2wso2_api_manager>= 4.1.0 < 4.1.0.2214.1.0.221
wso2wso2_api_manager>= 4.2.0 < 4.2.0.1594.2.0.159
wso2wso2_api_manager>= 4.3.0 < 4.3.0.724.3.0.72
wso2wso2_api_manager>= 4.4.0 < 4.4.0.354.4.0.35
wso2wso2_api_manager>= 4.5.0 < 4.5.0.194.5.0.19
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.