CVE-2025-5605 (GCVE-0-2025-5605)
Vulnerability from cvelistv5 – Published: 2025-10-24 10:09 – Updated: 2025-10-24 11:44Title
Authentication Bypass via URI Manipulation in Multiple WSO2 Products' Management Console Leading to Partial Information Disclosure
Summary
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.
The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.docs.wso2.com/en/latest/security… | vendor-advisory |
Impacted products
10 products
| Vendor | Product | Version | |
|---|---|---|---|
| WSO2 | WSO2 Identity Server |
Unknown:
0 , < 5.10.0
(custom)
Affected: 5.10.0 , < 5.10.0.361 (custom) Affected: 5.11.0 , < 5.11.0.414 (custom) Affected: 6.0.0 , < 6.0.0.245 (custom) Affected: 6.1.0 , < 6.1.0.244 (custom) Affected: 7.0.0 , < 7.0.0.119 (custom) Affected: 7.1.0 , < 7.1.0.25 (custom) |
|
| WSO2 | WSO2 Enterprise Integrator |
Unknown:
0 , < 6.6.0
(custom)
Affected: 6.6.0 , < 6.6.0.217 (custom) |
|
| WSO2 | WSO2 Universal Gateway |
Affected:
4.5.0 , < 4.5.0.10
(custom)
|
|
| WSO2 | WSO2 Traffic Manager |
Affected:
4.5.0 , < 4.5.0.10
(custom)
|
|
| WSO2 | WSO2 API Manager |
Unknown:
0 , < 3.1.0
(custom)
Affected: 3.1.0 , < 3.1.0.334 (custom) Affected: 3.2.0 , < 3.2.0.430 (custom) Affected: 3.2.1 , < 3.2.1.48 (custom) Affected: 4.0.0 , < 4.0.0.346 (custom) Affected: 4.1.0 , < 4.1.0.210 (custom) Affected: 4.2.0 , < 4.2.0.148 (custom) Affected: 4.3.0 , < 4.3.0.61 (custom) Affected: 4.4.0 , < 4.4.0.24 (custom) Affected: 4.5.0 , < 4.5.0.10 (custom) |
|
| WSO2 | WSO2 API Control Plane |
Affected:
4.5.0 , < 4.5.0.11
(custom)
|
|
| WSO2 | WSO2 Identity Server as Key Manager |
Unknown:
0 , < 5.10.0
(custom)
Affected: 5.10.0 , < 5.10.0.354 (custom) |
|
| WSO2 | WSO2 Open Banking AM |
Unknown:
0 , < 2.0.0
(custom)
Affected: 2.0.0 , < 2.0.0.382 (custom) |
|
| WSO2 | WSO2 Open Banking IAM |
Unknown:
0 , < 2.0.0
(custom)
Affected: 2.0.0 , < 2.0.0.403 (custom) |
|
| WSO2 | org.wso2.carbon:org.wso2.carbon.ui |
Affected:
4.5.3 , < 4.5.3.40
(custom)
Affected: 4.6.0 , < 4.6.0.1224 (custom) Affected: 4.6.1 , < 4.6.1.150 (custom) Affected: 4.6.2 , < 4.6.2.664 (custom) Affected: 4.6.3 , < 4.6.3.32 (custom) Affected: 4.6.4 , < 4.6.4.8 (custom) Affected: 4.7.1 , < 4.7.1.69 (custom) Affected: 4.8.1 , < 4.8.1.33 (custom) Affected: 4.9.0 , < 4.9.0.100 (custom) Affected: 4.9.26 , < 4.9.26.20 (custom) Affected: 4.9.27 , < 4.9.27.4 (custom) Affected: 4.9.28 , < 4.9.28.4 (custom) Affected: 4.10.9 , < 4.10.9.68 (custom) Affected: 4.10.42 , < 4.10.42.10 (custom) Unaffected: 4.9.29 , ≤ 4.9.* (custom) Unaffected: 4.10.90 , ≤ * (custom) |
Credits
Shadowserver
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: 2368324a-e226-4f5f-b0e2-f44fd238862a
Exploited: Yes
Characteristics
Severity:
43.0
Timestamps
First Seen: 2025-12-14
Asserted: 2025-12-14
Last Seen: 2026-07-12
Scope
Asset Exposure: ['internet-facing']
Notes: Affected: WSO2 / WSO2 multiple products | Class: other-software | Severity: Medium (CVSS 4.3) | IoT: no | In CISA KEV: no | Honeypot connections on 2026-07-12: 1
Evidence
Type: Honeypot
Signal: In The Wild Attempts
Confidence: 70%
Source: shadowserver
Details
| 1D | 1 |
|---|---|
| Iot | no |
| Feed | Shadowserver Foundation honeypot/exploited-vulnerabilities |
| Type | http-scan |
| Class | other-software |
| 7D Avg | 1 |
| Vendor | WSO2 |
| 30D Avg | 0 |
| 90D Avg | 0 |
| Product | WSO2 multiple products |
| Cisa Kev | no |
| Connections | 1 |
| Observation Date | 2026-07-12 |
| Vulnerability Class | CVSS |
| Vulnerability Score | 4.3 |
| Vulnerability Severity | Medium |
References
Created: 2026-06-30 09:23 UTC
| Updated: 2026-07-14 01:01 UTC
KEVIntel
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: b99b5c67-939c-4f2a-93c1-5ab2f0695fa5
Exploited: Yes
Timestamps
First Seen: 2026-02-15
Asserted: 2026-02-15
Scope
Notes: KEVIntel entry: Authentication Bypass via URI Manipulation in Multiple WSO2 Products' Management Console Leading to Partial Information Disclosure | Affected: WSO2 / WSO2 Identity Server, WSO2 Enterprise Integrator, WSO2 Universal Gateway, WSO2 Traffic Manager, WSO2 API Manager, WSO2 API Control Plane, WSO2 Identity Server as Key Manager, WSO2 Open Banking AM, WSO2 Open Banking IAM, org.wso2.carbon:org.wso2.carbon.ui | CVSS: 4.3 (MEDIUM) | Used in malware: unknown | Not yet in CISA KEV: True
Evidence
Type: Public Report
Signal: Successful Exploitation
Confidence: 70%
Source: kevintel
Details
| Feed | KEVIntel (kevintel.com) |
|---|---|
| Title | Authentication Bypass via URI Manipulation in Multiple WSO2 Products' Management Console Leading to Partial Information Disclosure |
| Vendor | WSO2 |
| Product | WSO2 Identity Server, WSO2 Enterprise Integrator, WSO2 Universal Gateway, WSO2 Traffic Manager, WSO2 API Manager, WSO2 API Control Plane, WSO2 Identity Server as Key Manager, WSO2 Open Banking AM, WSO2 Open Banking IAM, org.wso2.carbon:org.wso2.carbon.ui |
| Added Date | 2026-02-15T00:00:00.000Z |
| Cvss Score | 4.3 |
| Epss Score | None |
| Cvss Severity | MEDIUM |
| Epss Percentile | None |
| Used In Malware | unknown |
| Ahead Of Cisa Kev | None |
| Not Yet In Cisa Kev | True |
References
Created: 2026-06-23 14:03 UTC
| Updated: 2026-07-10 06:14 UTC
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5605",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T11:44:00.454638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T11:44:58.987Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.361",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.414",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.245",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.244",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.119",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.1.0.25",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.217",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.10",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.10",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.334",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.430",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.48",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.346",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.210",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.148",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.61",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.24",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.10",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.11",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.354",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.382",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.403",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.ui",
"product": "org.wso2.carbon:org.wso2.carbon.ui",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.3.40",
"status": "affected",
"version": "4.5.3",
"versionType": "custom"
},
{
"lessThan": "4.6.0.1224",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.150",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.664",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.32",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.8",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.69",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.33",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.100",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.20",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.9.27.4",
"status": "affected",
"version": "4.9.27",
"versionType": "custom"
},
{
"lessThan": "4.9.28.4",
"status": "affected",
"version": "4.9.28",
"versionType": "custom"
},
{
"lessThan": "4.10.9.68",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.10.42.10",
"status": "affected",
"version": "4.10.42",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.29",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.10.90",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.361",
"versionStartIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.0.414",
"versionStartIncluding": "5.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.0.245",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.0.244",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.0.119",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1.0.25",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_enterprise_integrator:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.0.217",
"versionStartIncluding": "6.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.10",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.10",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.1.0.334",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.0.430",
"versionStartIncluding": "3.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.1.48",
"versionStartIncluding": "3.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.0.346",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.1.0.210",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.0.148",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.3.0.61",
"versionStartIncluding": "4.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.0.24",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.10",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.11",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.354",
"versionStartIncluding": "5.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.382",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.403",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.3.40",
"versionStartIncluding": "4.5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.0.1224",
"versionStartIncluding": "4.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.1.150",
"versionStartIncluding": "4.6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.2.664",
"versionStartIncluding": "4.6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.3.32",
"versionStartIncluding": "4.6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.4.8",
"versionStartIncluding": "4.6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.1.69",
"versionStartIncluding": "4.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.1.33",
"versionStartIncluding": "4.8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.0.100",
"versionStartIncluding": "4.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.26.20",
"versionStartIncluding": "4.9.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.27.4",
"versionStartIncluding": "4.9.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.28.4",
"versionStartIncluding": "4.9.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.9.68",
"versionStartIncluding": "4.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.42.10",
"versionStartIncluding": "4.10.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndIncluding": "4.9.*",
"versionStartIncluding": "4.9.29",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.10.90",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "No\u00ebl Maccary"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.\u003cbr\u003e\u003cbr\u003eThe known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.\u003cbr\u003e"
}
],
"value": "An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.\n\nThe known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T10:17:47.415Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4115",
"discovery": "EXTERNAL"
},
"title": "Authentication Bypass via URI Manipulation in Multiple WSO2 Products\u0027 Management Console Leading to Partial Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-5605",
"datePublished": "2025-10-24T10:09:59.591Z",
"dateReserved": "2025-06-04T10:51:11.459Z",
"dateUpdated": "2025-10-24T11:44:58.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-5605",
"date": "2026-07-16",
"epss": "0.00811",
"percentile": "0.52823"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-5605\",\"sourceIdentifier\":\"ed10eef1-636d-4fbe-9993-6890dfa878f8\",\"published\":\"2025-10-24T10:15:39.160\",\"lastModified\":\"2026-06-17T09:48:16.013\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.\\n\\nThe known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.\"}],\"affected\":[{\"source\":\"ed10eef1-636d-4fbe-9993-6890dfa878f8\",\"affectedData\":[{\"vendor\":\"WSO2\",\"product\":\"WSO2 Identity Server\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"5.10.0\",\"versionType\":\"custom\",\"status\":\"unknown\"},{\"version\":\"5.10.0\",\"lessThan\":\"5.10.0.361\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"5.11.0\",\"lessThan\":\"5.11.0.414\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"6.0.0\",\"lessThan\":\"6.0.0.245\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"6.1.0\",\"lessThan\":\"6.1.0.244\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"7.0.0\",\"lessThan\":\"7.0.0.119\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"7.1.0\",\"lessThan\":\"7.1.0.25\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"WSO2\",\"product\":\"WSO2 Enterprise Integrator\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"6.6.0\",\"versionType\":\"custom\",\"status\":\"unknown\"},{\"version\":\"6.6.0\",\"lessThan\":\"6.6.0.217\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"WSO2\",\"product\":\"WSO2 Universal Gateway\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"4.5.0\",\"lessThan\":\"4.5.0.10\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"WSO2\",\"product\":\"WSO2 Traffic Manager\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"4.5.0\",\"lessThan\":\"4.5.0.10\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"WSO2\",\"product\":\"WSO2 API Manager\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"3.1.0\",\"versionType\":\"custom\",\"status\":\"unknown\"},{\"version\":\"3.1.0\",\"lessThan\":\"3.1.0.334\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"3.2.0\",\"lessThan\":\"3.2.0.430\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"3.2.1\",\"lessThan\":\"3.2.1.48\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.0.0\",\"lessThan\":\"4.0.0.346\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.1.0\",\"lessThan\":\"4.1.0.210\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.2.0\",\"lessThan\":\"4.2.0.148\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.3.0\",\"lessThan\":\"4.3.0.61\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.4.0\",\"lessThan\":\"4.4.0.24\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.5.0\",\"lessThan\":\"4.5.0.10\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"WSO2\",\"product\":\"WSO2 API Control Plane\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"4.5.0\",\"lessThan\":\"4.5.0.11\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"WSO2\",\"product\":\"WSO2 Identity Server as Key Manager\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"5.10.0\",\"versionType\":\"custom\",\"status\":\"unknown\"},{\"version\":\"5.10.0\",\"lessThan\":\"5.10.0.354\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"WSO2\",\"product\":\"WSO2 Open Banking AM\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"2.0.0\",\"versionType\":\"custom\",\"status\":\"unknown\"},{\"version\":\"2.0.0\",\"lessThan\":\"2.0.0.382\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"WSO2\",\"product\":\"WSO2 Open Banking IAM\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"2.0.0\",\"versionType\":\"custom\",\"status\":\"unknown\"},{\"version\":\"2.0.0\",\"lessThan\":\"2.0.0.403\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"WSO2\",\"product\":\"org.wso2.carbon:org.wso2.carbon.ui\",\"defaultStatus\":\"unknown\",\"packageName\":\"org.wso2.carbon:org.wso2.carbon.ui\",\"versions\":[{\"version\":\"4.5.3\",\"lessThan\":\"4.5.3.40\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.6.0\",\"lessThan\":\"4.6.0.1224\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.6.1\",\"lessThan\":\"4.6.1.150\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.6.2\",\"lessThan\":\"4.6.2.664\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.6.3\",\"lessThan\":\"4.6.3.32\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.6.4\",\"lessThan\":\"4.6.4.8\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.7.1\",\"lessThan\":\"4.7.1.69\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.8.1\",\"lessThan\":\"4.8.1.33\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.9.0\",\"lessThan\":\"4.9.0.100\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.9.26\",\"lessThan\":\"4.9.26.20\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.9.27\",\"lessThan\":\"4.9.27.4\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.9.28\",\"lessThan\":\"4.9.28.4\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.10.9\",\"lessThan\":\"4.10.9.68\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.10.42\",\"lessThan\":\"4.10.42.10\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"4.9.29\",\"lessThanOrEqual\":\"4.9.*\",\"versionType\":\"custom\",\"status\":\"unaffected\"},{\"version\":\"4.10.90\",\"lessThanOrEqual\":\"*\",\"versionType\":\"custom\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ed10eef1-636d-4fbe-9993-6890dfa878f8\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2025-10-24T11:44:00.454638Z\",\"id\":\"CVE-2025-5605\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEEA7DB5-BBF7-44A4-9FB6-0D235A44C680\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1344FB79-0796-445C-A8F3-C03E995925D1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E31E32CD-497E-4EF5-B3FC-8718EE06EDAD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B58251E8-606B-47C8-8E50-9F9FC8C179BD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E21D7ABF-C328-425D-B914-618C7628220B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"51465410-6B7C-40FD-A1AB-A14F650A6AC8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"851470CC-22AB-43E4-9CC6-5E22D49B3572\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"9EBAB99E-6F0F-4CE9-A954-E8878826304C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"0B3E6207-B2CF-487C-9CB8-906248B665C9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"D47B760D-5418-4FB0-88F0-3F78BAFF63E1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E4A07C73-3E6B-4CF9-BEB9-39C6081C0332\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4F126CA-A2F9-44F4-968B-DF71765869E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2153AECE-020A-4C01-B2A6-F9F5D98E7EBE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"32CE7893-AD1A-49E5-BD1A-5E9C2DEB8764\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"EA76533A-5BED-4BDC-B348-EB3D3FDFB110\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:7.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"C1EFBD0F-9664-4EF3-9908-C72B1318F68F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:7.1.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"A5358E6E-8C01-408D-8692-B1A326DC630F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6BB34405-A2F1-461A-B51B-E103BB3680A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"94347800-04D2-48C4-ACF0-078A5ACBB063\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D7C241A3-8EA0-41E4-ABF3-21B9D8E7A5BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C7413107-D7B2-49AE-AC46-52E7BFCD6ED8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"61636553-C25E-44DF-93D7-EB3E1056D1DC\"}]}]}],\"references\":[{\"url\":\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/\",\"source\":\"ed10eef1-636d-4fbe-9993-6890dfa878f8\",\"tags\":[\"Vendor Advisory\"]}]}}",
"redhat_vex": {
"current_release_date": "2025-10-25T10:18:51+00:00",
"cve": "CVE-2025-5605",
"id": "CVE-2025-5605",
"initial_release_date": "2025-01-01T00:00:00+00:00",
"product_status:known_not_affected": "1",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "Authentication Bypass via URI Manipulation in Multiple WSO2 Products\u0027 Management Console Leading to Partial Information Disclosure",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-5605.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-5605\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-24T11:44:00.454638Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-290\", \"description\": \"CWE-290 Authentication Bypass by Spoofing\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-24T11:44:53.012Z\"}}], \"cna\": {\"title\": \"Authentication Bypass via URI Manipulation in Multiple WSO2 Products\u0027 Management Console Leading to Partial Information Disclosure\", \"source\": {\"advisory\": \"WSO2-2025-4115\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"No\\u00ebl Maccary\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"WSO2\", \"product\": \"WSO2 Identity Server\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"5.10.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.10.0\", \"lessThan\": \"5.10.0.361\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.11.0\", \"lessThan\": \"5.11.0.414\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"6.0.0\", \"lessThan\": \"6.0.0.245\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"6.1.0\", \"lessThan\": \"6.1.0.244\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.0.0\", \"lessThan\": \"7.0.0.119\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.1.0\", \"lessThan\": \"7.1.0.25\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Enterprise Integrator\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"6.6.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"6.6.0\", \"lessThan\": \"6.6.0.217\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Universal Gateway\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.5.0\", \"lessThan\": \"4.5.0.10\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Traffic Manager\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.5.0\", \"lessThan\": \"4.5.0.10\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 API Manager\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"3.1.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.1.0\", \"lessThan\": \"3.1.0.334\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.2.0\", \"lessThan\": \"3.2.0.430\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.2.1\", \"lessThan\": \"3.2.1.48\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.0.0\", \"lessThan\": \"4.0.0.346\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.1.0\", \"lessThan\": \"4.1.0.210\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.2.0\", \"lessThan\": \"4.2.0.148\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.3.0\", \"lessThan\": \"4.3.0.61\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.4.0\", \"lessThan\": \"4.4.0.24\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.5.0\", \"lessThan\": \"4.5.0.10\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 API Control Plane\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.5.0\", \"lessThan\": \"4.5.0.11\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Identity Server as Key Manager\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"5.10.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.10.0\", \"lessThan\": \"5.10.0.354\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Open Banking AM\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"2.0.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.0.0\", \"lessThan\": \"2.0.0.382\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Open Banking IAM\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"2.0.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.0.0\", \"lessThan\": \"2.0.0.403\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"org.wso2.carbon:org.wso2.carbon.ui\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.5.3\", \"lessThan\": \"4.5.3.40\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.6.0\", \"lessThan\": \"4.6.0.1224\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.6.1\", \"lessThan\": \"4.6.1.150\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.6.2\", \"lessThan\": \"4.6.2.664\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.6.3\", \"lessThan\": \"4.6.3.32\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.6.4\", \"lessThan\": \"4.6.4.8\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.7.1\", \"lessThan\": \"4.7.1.69\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.8.1\", \"lessThan\": \"4.8.1.33\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.9.0\", \"lessThan\": \"4.9.0.100\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.9.26\", \"lessThan\": \"4.9.26.20\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.9.27\", \"lessThan\": \"4.9.27.4\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.9.28\", \"lessThan\": \"4.9.28.4\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.10.9\", \"lessThan\": \"4.10.9.68\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.10.42\", \"lessThan\": \"4.10.42.10\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"4.9.29\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.9.*\"}, {\"status\": \"unaffected\", \"version\": \"4.10.90\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"*\"}], \"packageName\": \"org.wso2.carbon:org.wso2.carbon.ui\", \"defaultStatus\": \"unknown\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/#solution\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: transparent;\\\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/#solution\\\"\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.\\n\\nThe known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.\u003cbr\u003e\u003cbr\u003eThe known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.\u003cbr\u003e\", \"base64\": false}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.0.361\", \"versionStartIncluding\": \"5.10.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.11.0.414\", \"versionStartIncluding\": \"5.11.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.0.0.245\", \"versionStartIncluding\": \"6.0.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.0.244\", \"versionStartIncluding\": \"6.1.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"7.0.0.119\", \"versionStartIncluding\": \"7.0.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"7.1.0.25\", \"versionStartIncluding\": \"7.1.0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:wso2:wso2_enterprise_integrator:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.0.217\", \"versionStartIncluding\": \"6.6.0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.5.0.10\", \"versionStartIncluding\": \"4.5.0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.5.0.10\", \"versionStartIncluding\": \"4.5.0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"3.1.0.334\", \"versionStartIncluding\": \"3.1.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"3.2.0.430\", \"versionStartIncluding\": \"3.2.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"3.2.1.48\", \"versionStartIncluding\": \"3.2.1\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.0.0.346\", \"versionStartIncluding\": \"4.0.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.1.0.210\", \"versionStartIncluding\": \"4.1.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.2.0.148\", \"versionStartIncluding\": \"4.2.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.3.0.61\", \"versionStartIncluding\": \"4.3.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.4.0.24\", \"versionStartIncluding\": \"4.4.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.5.0.10\", \"versionStartIncluding\": \"4.5.0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.5.0.11\", \"versionStartIncluding\": \"4.5.0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.0.354\", \"versionStartIncluding\": \"5.10.0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"2.0.0.382\", \"versionStartIncluding\": \"2.0.0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"2.0.0.403\", \"versionStartIncluding\": \"2.0.0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.5.3.40\", \"versionStartIncluding\": \"4.5.3\"}, {\"criteria\": \"cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.6.0.1224\", \"versionStartIncluding\": \"4.6.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.6.1.150\", \"versionStartIncluding\": \"4.6.1\"}, {\"criteria\": \"cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.6.2.664\", \"versionStartIncluding\": \"4.6.2\"}, {\"criteria\": \"cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.6.3.32\", \"versionStartIncluding\": \"4.6.3\"}, {\"criteria\": \"cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.6.4.8\", \"versionStartIncluding\": \"4.6.4\"}, {\"criteria\": \"cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.7.1.69\", \"versionStartIncluding\": \"4.7.1\"}, {\"criteria\": \"cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.8.1.33\", \"versionStartIncluding\": \"4.8.1\"}, {\"criteria\": \"cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.9.0.100\", \"versionStartIncluding\": \"4.9.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.9.26.20\", \"versionStartIncluding\": \"4.9.26\"}, {\"criteria\": \"cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.9.27.4\", \"versionStartIncluding\": \"4.9.27\"}, {\"criteria\": \"cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.9.28.4\", \"versionStartIncluding\": \"4.9.28\"}, {\"criteria\": \"cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.10.9.68\", \"versionStartIncluding\": \"4.10.9\"}, {\"criteria\": \"cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.10.42.10\", \"versionStartIncluding\": \"4.10.42\"}, {\"criteria\": \"cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*\", \"vulnerable\": false, \"versionEndIncluding\": \"4.9.*\", \"versionStartIncluding\": \"4.9.29\"}, {\"criteria\": \"cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*\", \"vulnerable\": false, \"versionEndIncluding\": \"*\", \"versionStartIncluding\": \"4.10.90\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"ed10eef1-636d-4fbe-9993-6890dfa878f8\", \"shortName\": \"WSO2\", \"dateUpdated\": \"2025-10-24T10:17:47.415Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-5605\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-24T11:44:58.987Z\", \"dateReserved\": \"2025-06-04T10:51:11.459Z\", \"assignerOrgId\": \"ed10eef1-636d-4fbe-9993-6890dfa878f8\", \"datePublished\": \"2025-10-24T10:09:59.591Z\", \"assignerShortName\": \"WSO2\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…