What is CVE-2025-9804?

CVE-2025-9804 is a critical-severity vulnerability in Wso2 Api Manager Analytics. CVSS score: 9.6/10. Published 2025-10-16.

How severe is CVE-2025-9804?

Critical severity. CVSS v3 base score is 9.6 out of 10.

Vulnerability in Wso2 Api Manager Analytics

CVE-2025-9804

An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unaut…

EPSS: 0.000 (9.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.6 (Critical). Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected products

Wso2 Api Manager Analytics — versions 0, 2.0.0, 2.1.0
Wso2 Org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util — versions 6.7.206, 6.7.210, 9.0.174
Wso2 Org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector — versions 2.0.10, 2.0.15, 2.0.21
Wso2 Org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt — versions 5.2.0, 5.2.2, 5.7.5
Wso2 Org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow — versions 5.1.1, 5.1.2, 5.1.5
Wso2 Org.wso2.carbon:org.wso2.carbon.base — versions 4.4.7, 4.4.9, 4.4.11
Wso2 Org.wso2.carbon:org.wso2.carbon.server.admin — versions 4.4.7, 4.4.9, 4.4.11
Wso2 Api Control Plane — versions 4.5.0
Wso2 Api Manager — versions 0, 2.0.0, 2.1.0
Wso2 Data Analytics Server — versions 0, 3.1.0, 3.2.0

References

security.docs.wso2.com/en/latest/security-announcements/security-advisories/202… (vendor-advisory)

Frequently asked questions

What is CVE-2025-9804?: CVE-2025-9804 is a critical-severity vulnerability in Wso2 Api Manager Analytics. CVSS score: 9.6/10. Published 2025-10-16.
How severe is CVE-2025-9804?: Critical severity. CVSS v3 base score is 9.6 out of 10.