CVE-2025-9804 | WSO2 Identity Server as Key Manager SOAP Admin Service/System REST API access control

A vulnerability marked as critical has been reported in WSO2 Identity Server as Key Manager, Identity Server, Open Banking KM, Open Banking IAM, Open Banking AM, API Manager, Identity Server Analytics, API Manager Analytics, Enterprise Integrator, Enterprise Service Bus Analytics, Data Analytics Server, Enterprise Mobility Manager, Universal Gateway, API Control Plane, Traffic Manager, org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector, org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util, org.wso2.carbon:org.wso2.carbon.base, org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt, org.wso2.carbon:org.wso2.carbon.server.admin and org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow. Affected by this vulnerability is an unknown functionality of the component SOAP Admin Service/System REST API. This manipulation causes improper access controls.

This vulnerability is handled as CVE-2025-9804. The attack can only be done within the local network. There is not any exploit available.

It is suggested to upgrade the affected component.VulDB Recent EntriesRead More