Cyber Posture

CVE-2025-10611

Critical

Published: 16 October 2025

Published
16 October 2025
Modified
21 November 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 51.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-10611 is a critical vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) published on 2025-10-16, associated with CWE-863 (Incorrect Authorization). It stems from an insufficient access control implementation in multiple WSO2 products, enabling attackers to bypass authentication and authorization checks for certain REST APIs and invoke them without proper validation.

The vulnerability can be exploited remotely by unauthenticated attackers requiring no privileges, low attack complexity, and no user interaction. Successful exploitation allows a malicious actor to gain administrative access and perform unauthenticated and unauthorized administrative operations.

Mitigation details are available in the WSO2 security advisory at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/.

Details

CWE(s)
CWE-863

Affected Products

wso2
api control plane
4.5.0
wso2
api manager
2.1.0, 2.2.0, 2.5.0, 2.6.0, 3.0.0
wso2
identity server
5.10.0, 5.11.0, 5.3.0, 5.5.0, 5.6.0
wso2
identity server as key manager
5.10.0, 5.3.0, 5.5.0, 5.6.0, 5.7.0
wso2
open banking am
1.4.0, 1.5.0, 2.0.0
wso2
open banking iam
2.0.0
wso2
open banking km
1.4.0, 1.5.0
wso2
traffic manager
4.5.0
wso2
universal gateway
4.5.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated remote attackers to bypass authorization on public-facing REST APIs in WSO2 products, directly enabling exploitation of a public-facing application to gain administrative access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References