Is CVE-2025-10611 actively exploited?

CVE-2025-10611 has no public evidence of in-the-wild exploitation as of 2025-11-21.

What is the CVSS score for CVE-2025-10611?

CVE-2025-10611 has a CVSS score of 9.8 (CRITICAL severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

How do I patch CVE-2025-10611?

Patch guidance is available from wso2 security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2025-10611.

Fix CVE-2025-10611 - CRITICAL wso2 api control plane

Q: Which products are affected by CVE-2025-10611?

41 products: wso2 api control plane, wso2 api manager, wso2 api manager, wso2 api manager, wso2 api manager, and 36 more.

Description

Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-863 · Incorrect Authorization

Metadata

Primary Vendor: WSO2
Published: 10/16/2025
Last Modified: 11/21/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

wso2 : api_control_planewso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_server_as_key_managerwso2 : identity_server_as_key_managerwso2 : identity_server_as_key_managerwso2 : identity_server_as_key_managerwso2 : identity_server_as_key_managerwso2 : identity_server_as_key_managerwso2 : open_banking_amwso2 : open_banking_amwso2 : open_banking_amwso2 : open_banking_iamwso2 : open_banking_kmwso2 : open_banking_kmwso2 : traffic_managerwso2 : universal_gateway

Remediation Guidance

Executive Summary

View on NIST NVD