CVE-2024-7097

Q: What is the severity of CVE-2024-7097?

CVE-2024-7097 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows attackers to create unauthorized user accounts in WSO2 products regardless of self-registration settings. It affects WSO2 products with SOAP admin service enabled. Attackers can create low-privileged accounts to gain initial access to systems.

4.3 MEDIUM

Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to create unauthorized user accounts in WSO2 products regardless of self-registration settings. It affects WSO2 products with SOAP admin service enabled. Attackers can create low-privileged accounts to gain initial access to systems.

💻 Affected Systems

Products:

WSO2 API Manager
WSO2 Identity Server
WSO2 Enterprise Integrator

Versions: Multiple versions up to specific patched versions

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires SOAP admin service to be enabled and accessible.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass account creation leads to system resource exhaustion, denial of service, and persistent unauthorized access enabling further attacks.

🟠

Likely Case

Attackers create multiple low-privileged accounts to establish foothold for privilege escalation or lateral movement.

🟢

If Mitigated

Limited to creating low-privileged accounts that can be detected and removed before causing significant damage.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires network access to SOAP admin service endpoint but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific product versions

Vendor Advisory: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3574/

Restart Required: Yes

Instructions:

1. Review vendor advisory for affected versions. 2. Apply recommended patches. 3. Restart affected services. 4. Verify patch application.

🔧 Temporary Workarounds

Disable SOAP Admin Service

all

Disable the vulnerable SOAP admin service endpoint

Edit configuration files to disable SOAP admin service or restrict access via firewall rules

Network Access Control

linux

Restrict network access to SOAP admin service endpoints

iptables -A INPUT -p tcp --dport [SOAP_PORT] -j DROP
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="[TRUSTED_NETWORK]" port protocol="tcp" port="[SOAP_PORT]" accept'

🧯 If You Can't Patch

Implement strict network segmentation to isolate WSO2 instances
Enable detailed logging and monitoring for user creation events

🔍 How to Verify

Check if Vulnerable:

Test if unauthorized user creation is possible via SOAP admin service endpoint

Check Version:

Check product version in admin console or configuration files

Verify Fix Applied:

Attempt to create user via SOAP admin service without proper authorization - should fail

📡 Detection & Monitoring

Log Indicators:

Unexpected user creation events
Multiple failed authentication attempts followed by successful user creation
SOAP admin service access from unusual IPs

Network Indicators:

Unusual SOAP traffic patterns
Multiple POST requests to user creation endpoints

SIEM Query:

source="wso2-logs" AND (event="user_creation" OR event="account_creation") AND result="success" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-7097

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-863

EPSS Score: 22.1% exploit probability (95.7th percentile)

Published: May 30, 2025

Last Updated: October 6, 2025

🔗 References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3574/ Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server by Wso2

Identity Server As Key Manager by Wso2

Identity Server As Key Manager by Wso2

Identity Server As Key Manager by Wso2

Identity Server As Key Manager by Wso2

Identity Server As Key Manager by Wso2

Identity Server As Key Manager by Wso2

Open Banking Am by Wso2

Open Banking Iam by Wso2

Open Banking Km by Wso2

Open Banking Km by Wso2

Open Banking Km by Wso2

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable SOAP Admin Service

Network Access Control

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities