CVE-2025-9955

An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details that are not intended to be exposed at that privilege level. While no credentials or sensitive user information are exposed, this vulnerability may allow unauthorized visibility into internal operational details, which could aid in further exploitation or reconnaissance.

CVSS v3 5.7 MEDIUM

5.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4526/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:wso2:enterprise_integrator:6.0.0:::::::*
	cpe:2.3:a:wso2:enterprise_integrator:6.1.0:::::::*
	cpe:2.3:a:wso2:enterprise_integrator:6.1.1:::::::*
	cpe:2.3:a:wso2:enterprise_integrator:6.2.0:::::::*
	cpe:2.3:a:wso2:enterprise_integrator:6.3.0:::::::*
	cpe:2.3:a:wso2:enterprise_integrator:6.4.0:::::::*
	cpe:2.3:a:wso2:enterprise_integrator:6.5.0:::::::*
	cpe:2.3:a:wso2:enterprise_integrator:6.6.0:::::::*
	cpe:2.3:a:wso2:enterprise_service_bus:5.0.0:::::::*

History

No history.

Information

Published : 2025-10-16 13:15

Updated : 2025-10-21 18:32

NVD link : CVE-2025-9955

Mitre link : CVE-2025-9955

CVE.ORG link : CVE-2025-9955

JSON object : View

Products Affected

wso2

enterprise_integrator
enterprise_service_bus

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-9955", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.1}]}, "published": "2025-10-16T13:15:42.300", "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4526/", "tags": ["Vendor Advisory"], "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details that are not intended to be exposed at that privilege level.\n\nWhile no credentials or sensitive user information are exposed, this vulnerability may allow unauthorized visibility into internal operational details, which could aid in further exploitation or reconnaissance."}], "lastModified": "2025-10-21T18:32:41.200", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2242AF12-0C75-41A7-8450-B9A2EBF5A8CE"}, {"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D64106E7-1956-4AAA-915F-7E6DB7461BD4"}, {"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA3B48BB-ECB5-4A94-B76D-97BC3D303E9E"}, {"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "66292C25-B0B9-4FCE-9382-57B8F6BB814A"}, {"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "709DC7EA-18A6-4B83-84CB-F2499BEB5D2F"}, {"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "18E8577A-B322-4A70-B8AB-9DE45EFDF229"}, {"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4FCA89E3-F37E-494E-AD46-B9A04E608908"}, {"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4A07C73-3E6B-4CF9-BEB9-39C6081C0332"}, {"criteria": "cpe:2.3:a:wso2:enterprise_service_bus:5.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "236C44E3-FAB5-41F2-9884-D17944EBB468"}], "operator": "OR"}]}], "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8"}