CVE-2025-9804
published 2025-10-16CVE-2025-9804: An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services…
PriorityP344medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.51%
39.5th percentile
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.
This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
Affected
209 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | api_control_plane | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager_analytics | — | — |
| wso2 | api_manager_analytics | — | — |
| wso2 | api_manager_analytics | — | — |
| wso2 | api_manager_analytics | — | — |
| wso2 | api_manager_analytics | >= 2.0.0 < 2.0.0.14 | 2.0.0.14 |
| wso2 | api_manager_analytics | >= 2.1.0 < 2.1.0.19 | 2.1.0.19 |
| wso2 | api_manager_analytics | >= 2.2.0 < 2.2.0.30 | 2.2.0.30 |
| wso2 | api_manager_analytics | >= 2.5.0 < 2.5.0.39 | 2.5.0.39 |
| wso2 | data_analytics_server | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-16
Published