CRITICAL🇵🇱 Wersja polska

CVE-2025-9152

CVSS 9.8v3.1pub. 2025-10-16upd. 2025-10-21

An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges, potentially leading to administrative access and the ability to perform unauthorized operations.

🤖 AI Analysis
How it works

The DCR endpoint in the keymanager-operations component does not require authentication or authorization (CWE-306: Missing Authentication for Critical Function). An attacker can directly send requests to this endpoint over the network without providing any authentication credentials. As a result, it is possible to generate access tokens with elevated privileges, which can subsequently be used to perform unauthorized administrative operations in the system.

Impact

An attacker can obtain access tokens with administrative privileges and perform arbitrary unauthorized operations in the system, leading to complete breach of confidentiality, integrity, and availability of the API Manager platform.

Mitigation & patch

Apply patches available from the vendor according to the references — detailed information about patched versions is contained in the WSO2 security advisory available at: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4483/

Who is affected

WSO2 API Manager and WSO2 API Control Plane — specific versions indicated in vendor references (WSO2-2025-4483)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Wso2 Api Control Plane

    APP
    Wso2
    4.5.0
  • Wso2 Api Manager

    APP
    Wso2
    3.2.03.2.14.0.04.1.04.2.04.3.04.4.04.5.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2022-29464CRITICAL9.8⚠ KEVten sam produkt

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must u...

CVE-2025-13590CRITICAL9.1PL ✓ten sam produkt

WSO2 API Manager – RCE przez upload pliku z uprawnieniami administratora

CVE-2025-9312CRITICAL9.8PL ✓ten sam produkt

Brak wymuszania uwierzytelniania mTLS w produktach WSO2 — nieautoryzowany dostęp administracyjny

CVE-2025-10611CRITICAL9.8PL ✓ten sam produkt

Pominięcie kontroli dostępu w produktach WSO2 – nieautoryzowany dostęp administracyjny

CVE-2025-9804CRITICAL9.6PL ✓ten sam produkt

Nieprawidłowa kontrola dostępu w wewnętrznych API WSO2 (SOAP/REST)