Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-10611

CVE-2025-10611: WSO2 API Control Plane Auth Bypass Flaw

CVE-2025-10611 is an authentication bypass vulnerability in WSO2 API Control Plane that allows attackers to gain administrative access without proper validation. This article covers technical details, affected systems, and mitigations.

Updated:

CVE-2025-10611 Overview

CVE-2025-10611 is a broken access control vulnerability affecting multiple WSO2 products, including API Manager, Identity Server, Open Banking components, Traffic Manager, and Universal Gateway. The flaw stems from an insufficient access control implementation that allows authentication and authorization checks on certain REST APIs to be bypassed. Unauthenticated network-based attackers can invoke privileged REST API endpoints without valid credentials. Successful exploitation grants administrative access and enables unauthorized administrative operations across affected deployments. The weakness is categorized under CWE-863: Incorrect Authorization.

Critical Impact

Remote attackers can bypass authentication on WSO2 REST APIs and gain full administrative control of API Manager, Identity Server, and Open Banking deployments without credentials.

Affected Products

  • WSO2 API Manager versions 2.1.0 through 4.5.0
  • WSO2 Identity Server versions 5.3.0 through 7.1.0 and Identity Server as Key Manager 5.3.0 through 5.10.0
  • WSO2 API Control Plane 4.5.0, Traffic Manager 4.5.0, Universal Gateway 4.5.0, Open Banking AM/IAM/KM

Discovery Timeline

  • 2025-10-16 - CVE CVE-2025-10611 published to NVD
  • 2025-11-21 - Last updated in NVD database

Technical Details for CVE-2025-10611

Vulnerability Analysis

The vulnerability is an authorization bypass affecting REST API endpoints exposed by multiple WSO2 products. The underlying weakness is classified as CWE-863: Incorrect Authorization, indicating that access control logic exists but is implemented incorrectly. As a result, authentication and authorization checks for specific REST APIs do not execute as intended.

An attacker reaching the management or administrative REST API surface over the network can invoke protected operations without supplying valid credentials. Because WSO2 API Manager and Identity Server expose administrative functionality such as user management, OAuth client registration, API publishing, and key management through REST APIs, an attacker who bypasses these checks obtains administrative-equivalent capability over the platform.

Root Cause

The root cause is an insufficient access control implementation in the request handling layer that processes REST API invocations. Specific endpoints fail to enforce the authentication and authorization filters that should gate administrative operations. The defect is shared across the WSO2 Carbon platform, which explains why API Manager, Identity Server, Open Banking, Traffic Manager, Universal Gateway, and API Control Plane are all affected.

Attack Vector

Exploitation requires only network access to the management REST API of an affected WSO2 instance. No authentication, user interaction, or special privileges are needed. An attacker crafts HTTP requests to the affected REST endpoints and receives privileged responses or executes privileged actions. Refer to the WSO2 Security Advisory WSO2-2025-4585 for endpoint-specific technical details.

Detection Methods for CVE-2025-10611

Indicators of Compromise

  • Unexpected HTTP requests to WSO2 management REST API paths such as /api/am/, /scim2/, /t/, or /services/ originating from untrusted source addresses
  • Successful 2xx responses to administrative REST API calls that lack an Authorization header or valid session cookie
  • New OAuth applications, service providers, users, or API subscriptions created outside change-management windows
  • Outbound connections or configuration changes initiated by the WSO2 service account immediately following anomalous inbound API traffic

Detection Strategies

  • Review WSO2 Carbon access logs (wso2carbon.log, http_access_*.log) for administrative REST endpoint hits without preceding authentication events
  • Correlate API gateway and reverse proxy logs to flag requests to management ports (default 9443) from non-administrative network segments
  • Establish a baseline of legitimate administrative API callers and alert on deviations in source IP, user-agent, or request volume

Monitoring Recommendations

  • Forward WSO2 audit and access logs to a centralized SIEM and create detections for administrative endpoint access without prior authentication
  • Monitor identity store changes, OAuth client registrations, and API publisher actions for unauthorized modifications
  • Alert on configuration file changes within the WSO2 installation directory and on restarts of WSO2 services outside maintenance windows

How to Mitigate CVE-2025-10611

Immediate Actions Required

  • Apply the WSO2 WUM updates or product-specific patches referenced in the WSO2 Security Advisory WSO2-2025-4585 to all affected deployments
  • Restrict network access to WSO2 management REST APIs and management ports so they are reachable only from trusted administrative networks
  • Audit recent administrative actions, user accounts, OAuth clients, and API definitions for unauthorized changes since exposure
  • Rotate administrative credentials, OAuth client secrets, and signing keys after patching if exposure is suspected

Patch Information

WSO2 has published official guidance and product-specific fixes in WSO2 Security Advisory WSO2-2025-4585. Customers should apply the WUM (WSO2 Update Manager) updates or upgrade to the fixed versions listed in the advisory for API Manager, Identity Server, Identity Server as Key Manager, API Control Plane, Traffic Manager, Universal Gateway, and Open Banking components.

Workarounds

  • Place affected WSO2 management interfaces behind a reverse proxy or web application firewall that enforces allow-lists and authentication on REST API paths
  • Disable or block unused REST API endpoints at the network layer until patches are applied
  • Apply firewall rules to expose only required gateway ports to end users while keeping management ports internal
bash
# Example: restrict WSO2 management port 9443 to a trusted admin subnet using iptables
iptables -A INPUT -p tcp --dport 9443 -s 10.0.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.