CVE-2025-10611
📋 TL;DR
This critical vulnerability in WSO2 products allows attackers to bypass authentication and authorization checks for certain REST APIs, enabling unauthenticated administrative access. Attackers could perform unauthorized administrative operations, potentially compromising the entire system. All organizations using affected WSO2 products are at risk.
💻 Affected Systems
- WSO2 API Manager
- WSO2 Identity Server
- WSO2 Enterprise Integrator
- WSO2 Micro Integrator
- WSO2 Streaming Integrator
- WSO2 Microgateway
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with administrative access, data theft, service disruption, and lateral movement to connected systems.
Likely Case
Unauthorized administrative operations, privilege escalation, configuration changes, and potential data exposure.
If Mitigated
Limited impact if network segmentation, API gateways, and strict access controls are properly implemented.
🎯 Exploit Status
CVSS 9.8 indicates critical severity with low attack complexity and no user interaction required
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions per product
Vendor Advisory: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/
Restart Required: Yes
Instructions:
1. Review vendor advisory for affected versions. 2. Apply security patches from WSO2. 3. Restart affected services. 4. Verify patch application.
🔧 Temporary Workarounds
Network Access Control
allRestrict network access to WSO2 management interfaces and APIs
API Gateway Protection
allPlace WSO2 APIs behind an API gateway with strict authentication
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to WSO2 systems
- Deploy web application firewall (WAF) with rules to detect and block unauthorized API access attempts
🔍 How to Verify
Check if Vulnerable:
Check WSO2 product version against vendor advisory and test REST API authentication bypassCheck Version:
Check WSO2 product documentation for version check command specific to your installationVerify Fix Applied:
Verify patch version is installed and test that authentication/authorization checks are enforced on REST APIs📡 Detection & Monitoring
Log Indicators:
- Unauthenticated API calls to administrative endpoints
- Failed authentication attempts followed by successful administrative operations
- Unusual administrative activity from unexpected sources
Network Indicators:
- Unusual REST API traffic patterns
- Administrative API calls from unauthorized IP addresses
- High volume of API requests without authentication headers
SIEM Query:
source="wso2" AND (event_type="api_call" AND (user="anonymous" OR auth_status="failed")) AND (endpoint CONTAINS "/admin/" OR endpoint CONTAINS "/management/")