cbcvebase.
CVE-2025-9804
published 2025-10-16

CVE-2025-9804: An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services…

PriorityP344medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.51%
39.5th percentile
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.

Affected

209 ranges· showing 25
VendorProductVersion rangeFixed in
wso2api_control_plane
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager_analytics
wso2api_manager_analytics
wso2api_manager_analytics
wso2api_manager_analytics
wso2api_manager_analytics>= 2.0.0 < 2.0.0.142.0.0.14
wso2api_manager_analytics>= 2.1.0 < 2.1.0.192.1.0.19
wso2api_manager_analytics>= 2.2.0 < 2.2.0.302.2.0.30
wso2api_manager_analytics>= 2.5.0 < 2.5.0.392.5.0.39
wso2data_analytics_server
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.