Is CVE-2025-9804 actively exploited?

CVE-2025-9804 has no public evidence of in-the-wild exploitation as of 2025-11-21.

What is the CVSS score for CVE-2025-9804?

CVE-2025-9804 has a CVSS score of 9.6 (CRITICAL severity). Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

How do I patch CVE-2025-9804?

Patch guidance is available from wso2 security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2025-9804.

Fix CVE-2025-9804 - CRITICAL wso2 api control plane

Q: Which products are affected by CVE-2025-9804?

59 products: wso2 api control plane, wso2 api manager, wso2 api manager, wso2 api manager, wso2 api manager, and 54 more.

Description

An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.

CVSS Metrics

Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector: adjacent network
Complexity: low
Privileges: none
User Action: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-284

Metadata

Primary Vendor: WSO2
Published: 10/16/2025
Last Modified: 11/21/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

wso2 : api_control_planewso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_manager_analyticswso2 : api_manager_analyticswso2 : api_manager_analyticswso2 : api_manager_analyticswso2 : data_analytics_serverwso2 : data_analytics_serverwso2 : enterprise_integratorwso2 : enterprise_integratorwso2 : enterprise_mobility_managerwso2 : enterprise_service_buswso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_serverwso2 : identity_server_analyticswso2 : identity_server_analyticswso2 : identity_server_analyticswso2 : identity_server_analyticswso2 : identity_server_as_key_managerwso2 : identity_server_as_key_managerwso2 : identity_server_as_key_managerwso2 : identity_server_as_key_managerwso2 : identity_server_as_key_managerwso2 : identity_server_as_key_managerwso2 : open_banking_amwso2 : open_banking_amwso2 : open_banking_amwso2 : open_banking_iamwso2 : open_banking_kmwso2 : open_banking_kmwso2 : traffic_managerwso2 : universal_gateway

Remediation Guidance

Executive Summary

View on NIST NVD