FKIE_CVE-2025-8325

Vulnerability from fkie_nvd - Published: 2026-05-11 10:16 - Updated: 2026-05-27 19:41
Severity
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions. A malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could lead to unintended behavior or misuse, particularly in production environments.
References
ed10eef1-636d-4fbe-9993-6890dfa878f8https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4401/Vendor Advisory
Impacted products
Vendor Product Version
wso2 api_control_plane *
wso2 api_manager *
wso2 api_manager *
wso2 api_manager *
wso2 api_manager *
wso2 api_manager *
wso2 api_manager *
wso2 api_manager *
wso2 api_manager *
wso2 traffic_manager *
wso2 universal_gateway *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wso2:api_control_plane:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "14673F3A-694F-43A7-A908-89AB43FE5D40",
              "versionEndExcluding": "4.5.0.18",
              "versionStartIncluding": "4.5.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BB859A03-5918-441D-9994-D2FCABC6BA33",
              "versionEndExcluding": "3.2.0.435",
              "versionStartIncluding": "3.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B96C6F6B-A9E7-4D9C-914F-72E5EECDF4A5",
              "versionEndExcluding": "3.2.1.55",
              "versionStartIncluding": "3.2.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC6CF34B-F7F4-4669-B2FC-31A6CAADA3A9",
              "versionEndExcluding": "4.0.0.355",
              "versionStartIncluding": "4.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "59D33891-9333-4121-BE6F-23983E6EB544",
              "versionEndExcluding": "4.1.0.219",
              "versionStartIncluding": "4.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "676DEFD1-5C07-4602-91CD-188E3E74D270",
              "versionEndExcluding": "4.2.0.157",
              "versionStartIncluding": "4.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3FC7B4FE-F1C1-43FC-940E-9C461BDCFD23",
              "versionEndExcluding": "4.3.0.70",
              "versionStartIncluding": "4.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "54762DFE-843A-4C4F-9EFB-C9077A867A6F",
              "versionEndExcluding": "4.4.0.33",
              "versionStartIncluding": "4.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC373117-8394-467A-821F-AF51388FCB8B",
              "versionEndExcluding": "4.5.0.17",
              "versionStartIncluding": "4.5.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wso2:traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C2486C66-55BA-4AA1-82B3-7B5AD5C33C83",
              "versionEndExcluding": "4.5.0.17",
              "versionStartIncluding": "4.5.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wso2:universal_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "78E12620-9EB3-4512-8688-314A337E9B62",
              "versionEndExcluding": "4.5.0.17",
              "versionStartIncluding": "4.5.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the \u0027Internal/Everyone\u0027 role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions.\n\nA malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could lead to unintended behavior or misuse, particularly in production environments."
    }
  ],
  "id": "CVE-2025-8325",
  "lastModified": "2026-05-27T19:41:03.557",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.4,
        "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-05-11T10:16:13.037",
  "references": [
    {
      "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4401/"
    }
  ],
  "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-281"
        }
      ],
      "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.