{"id":22054,"date":"2025-10-16T08:29:42","date_gmt":"2025-10-16T08:29:42","guid":{"rendered":"http:\/\/localhost\/?p=22054"},"modified":"2025-10-16T08:29:42","modified_gmt":"2025-10-16T08:29:42","slug":"improper-access-control-in-multiple-wso2-products-via-internal-soap-admin-services-and-system-rest-a","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=22054","title":{"rendered":"Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs_CVE-2025-9804"},"content":{"rendered":"<p>{&#8220;lastseen&#8221;:&#8221;&#8221;,&#8221;description&#8221;:&#8221;An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.\\n\\nThis vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager&#8217;s API Gateway remain unaffected.&#8221;,&#8221;published&#8221;:&#8221;2025-10-16T12:33:45.426Z&#8221;,&#8221;modified&#8221;:&#8221;2025-10-16T13:21:25.991Z&#8221;,&#8221;type&#8221;:&#8221;cve&#8221;,&#8221;title&#8221;:&#8221;Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs&#8221;,&#8221;source&#8221;:&#8221;WSO2&#8243;,&#8221;references&#8221;:&#8221;https:\/\/security.docs.wso2.com\/en\/latest\/security-announcements\/security-advisories\/2025\/WSO2-2025-4503\/&#8221;,&#8221;id&#8221;:&#8221;CVE-2025-9804&#8243;,&#8221;bulletinFamily&#8221;:&#8221;&#8221;,&#8221;cwe&#8221;:null,&#8221;cvelist&#8221;:null,&#8221;sourceData&#8221;:&#8221;WSO2 WSO2 Identity Server as Key Manager 5.3.0\\nWSO2 WSO2 Identity Server as Key Manager 5.5.0\\nWSO2 WSO2 Identity Server as Key Manager 5.6.0\\nWSO2 WSO2 Identity Server as Key Manager 5.7.0\\nWSO2 WSO2 Identity Server as Key Manager 5.9.0\\nWSO2 WSO2 Identity Server as Key Manager 5.10.0\\nWSO2 WSO2 Identity Server 5.2.0\\nWSO2 WSO2 Identity Server 5.3.0\\nWSO2 WSO2 Identity Server 5.4.0\\nWSO2 WSO2 Identity Server 5.4.1\\nWSO2 WSO2 Identity Server 5.5.0\\nWSO2 WSO2 Identity Server 5.6.0\\nWSO2 WSO2 Identity Server 5.7.0\\nWSO2 WSO2 Identity Server 5.8.0\\nWSO2 WSO2 Identity Server 5.9.0\\nWSO2 WSO2 Identity Server 5.10.0\\nWSO2 WSO2 Identity Server 5.11.0\\nWSO2 WSO2 Identity Server 6.0.0\\nWSO2 WSO2 Identity Server 6.1.0\\nWSO2 WSO2 Identity Server 7.0.0\\nWSO2 WSO2 Identity Server 7.1.0\\nWSO2 WSO2 Open Banking KM 1.4.0\\nWSO2 WSO2 Open Banking KM 1.5.0\\nWSO2 WSO2 Open Banking IAM 2.0.0\\nWSO2 WSO2 Open Banking AM 1.4.0\\nWSO2 WSO2 Open Banking AM 1.5.0\\nWSO2 WSO2 Open Banking AM 2.0.0\\nWSO2 WSO2 API Manager 2.0.0\\nWSO2 WSO2 API Manager 2.1.0\\nWSO2 WSO2 API Manager 2.2.0\\nWSO2 WSO2 API Manager 2.5.0\\nWSO2 WSO2 API Manager 2.6.0\\nWSO2 WSO2 API Manager 3.0.0\\nWSO2 WSO2 API Manager 3.1.0\\nWSO2 WSO2 API Manager 3.2.0\\nWSO2 WSO2 API Manager 3.2.1\\nWSO2 WSO2 API Manager 4.0.0\\nWSO2 WSO2 API Manager 4.1.0\\nWSO2 WSO2 API Manager 4.2.0\\nWSO2 WSO2 API Manager 4.3.0\\nWSO2 WSO2 API Manager 4.4.0\\nWSO2 WSO2 API Manager 4.5.0\\nWSO2 WSO2 Identity Server Analytics 5.2.0\\nWSO2 WSO2 Identity Server Analytics 5.3.0\\nWSO2 WSO2 Identity Server Analytics 5.5.0\\nWSO2 WSO2 Identity Server Analytics 5.6.0\\nWSO2 API Manager Analytics 2.0.0\\nWSO2 API Manager Analytics 2.1.0\\nWSO2 API Manager Analytics 2.2.0\\nWSO2 API Manager Analytics 2.5.0\\nWSO2 WSO2 Enterprise Integrator 6.2.0\\nWSO2 WSO2 Enterprise Integrator 6.3.0\\nWSO2 WSO2 Enterprise Service Bus Analytics 5.0.0\\nWSO2 WSO2 Data Analytics Server 3.1.0\\nWSO2 WSO2 Data Analytics Server 3.2.0\\nWSO2 WSO2 Enterprise Mobility Manager 2.2.0\\nWSO2 WSO2 Universal Gateway 4.5.0\\nWSO2 WSO2 API Control Plane 4.5.0\\nWSO2 WSO2 Traffic Manager 4.5.0\\nWSO2 org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector 2.0.10\\nWSO2 org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector 2.0.15\\nWSO2 org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector 2.0.21\\nWSO2 org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector 2.0.22\\nWSO2 org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector 2.1.12\\nWSO2 org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector 2.1\\nWSO2 org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector 2.2\\nWSO2 org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector 2.2\\nWSO2 org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector 3.1.0\\nWSO2 org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector 3.3.6\\nWSO2 org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector 3.3.26\\nWSO2 org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector 3.3.35\\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util 6.7.206\\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util 6.7.210\\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util 9.0.174\\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util 9.20.74\\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util 9.28.116\\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util 9.29.120\\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util 9.30.67\\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util 9.31.86\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.4.7\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.4.9\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.4.11\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.4.26\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.4.35\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.5.1\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.0\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.1\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.2\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.3\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.4\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.7.1\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.8.1\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.9.0\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.9.26\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.9.27\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.9.28\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.10.9\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.10.42\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.9\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.10\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.2.0\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.2.2\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.7.5\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.11.148\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.11.256\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.12.153\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.12.387\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.14.97\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.17.5\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.17.118\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.18.187\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.18.248\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.23.8\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.24.8\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.25.92\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.25.705\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.25.713\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.25.724\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 7.0.78\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 7.8.23\\nWSO2 org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt 5.25\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.4.7\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.4.9\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.4.11\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.4.26\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.4.32\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.4.35\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.5.1\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.6.0\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.6.1\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.6.2\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.6.3\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.6.4\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.7.1\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.8.1\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.9.0\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.9.26\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.9.27\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.9.28\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.10.9\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.10.42\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.9\\nWSO2 org.wso2.carbon:org.wso2.carbon.server.admin 4.10\\nWSO2 org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow 5.1.1\\nWSO2 org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow 5.1.2\\nWSO2 org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow 5.1.5\\nWSO2 org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow 5.3.3\\nWSO2 org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow 5.4.0\\nWSO2 org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow 5.4.1\\nWSO2 org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow 5.6.0&#8243;,&#8221;sourceHref&#8221;:&#8221;&#8221;,&#8221;cvss&#8221;:{&#8220;score&#8221;:9.6,&#8221;severity&#8221;:&#8221;CRITICAL&#8221;,&#8221;vector&#8221;:&#8221;CVSS:3.1\/AV:A\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H&#8221;,&#8221;version&#8221;:&#8221;3.1&#8243;},&#8221;cvss2&#8243;:{},&#8221;cvss3&#8243;:{&#8220;version&#8221;:&#8221;&#8221;,&#8221;vectorString&#8221;:&#8221;&#8221;,&#8221;baseScore&#8221;:0,&#8221;baseSeverity&#8221;:&#8221;&#8221;,&#8221;attackVector&#8221;:&#8221;&#8221;,&#8221;attackComplexity&#8221;:&#8221;&#8221;,&#8221;privilegesRequired&#8221;:&#8221;&#8221;,&#8221;userInteraction&#8221;:&#8221;&#8221;,&#8221;scope&#8221;:&#8221;&#8221;,&#8221;confidentialityImpact&#8221;:&#8221;&#8221;,&#8221;integrityImpact&#8221;:&#8221;&#8221;,&#8221;availabilityImpact&#8221;:&#8221;&#8221;,&#8221;cvssV3&#8243;:{&#8220;version&#8221;:&#8221;&#8221;,&#8221;vectorString&#8221;:&#8221;&#8221;,&#8221;baseScore&#8221;:0,&#8221;baseSeverity&#8221;:&#8221;&#8221;,&#8221;attackVector&#8221;:&#8221;&#8221;,&#8221;attackComplexity&#8221;:&#8221;&#8221;,&#8221;privilegesRequired&#8221;:&#8221;&#8221;,&#8221;userInteraction&#8221;:&#8221;&#8221;,&#8221;scope&#8221;:&#8221;&#8221;,&#8221;confidentialityImpact&#8221;:&#8221;&#8221;,&#8221;integrityImpact&#8221;:&#8221;&#8221;,&#8221;availabilityImpact&#8221;:&#8221;&#8221;}},&#8221;href&#8221;:&#8221;&#8221;,&#8221;category_name&#8221;:&#8221;CVE&#8221;,&#8221;post_link&#8221;:&#8221;&#8221;,&#8221;product&#8221;:&#8221;WSO2 Identity Server as Key Manager&#8221;,&#8221;version&#8221;:&#8221;0&#8243;,&#8221;vendor&#8221;:&#8221;WSO2&#8243;,&#8221;ai_description&#8221;:&#8221;&#8221;,&#8221;ai_severity&#8221;:&#8221;&#8221;,&#8221;ai_vendor&#8221;:&#8221;&#8221;,&#8221;ai_product&#8221;:&#8221;&#8221;,&#8221;ai_version&#8221;:&#8221;&#8221;,&#8221;ai_score&#8221;:0}<\/p>\n","protected":false},"excerpt":{"rendered":"<p>{&#8220;lastseen&#8221;:&#8221;&#8221;,&#8221;description&#8221;:&#8221;An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs&#8230;.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[9,6,8,62,12,13,7,11,5],"class_list":["post-22054","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-critical","tag-cve","tag-cvss","tag-cvss-96","tag-exploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs_CVE-2025-9804 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=22054\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs_CVE-2025-9804 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{&#8220;lastseen&#8221;:&#8221;&#8221;,&#8221;description&#8221;:&#8221;An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs....\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=22054\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-16T08:29:42+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=22054#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=22054\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs_CVE-2025-9804\",\"datePublished\":\"2025-10-16T08:29:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=22054\"},\"wordCount\":1491,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.6\",\"exploit\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_cve\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=22054#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=22054\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=22054\",\"name\":\"Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs_CVE-2025-9804 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-10-16T08:29:42+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=22054#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=22054\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=22054#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs_CVE-2025-9804\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs_CVE-2025-9804 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=22054","og_locale":"en_US","og_type":"article","og_title":"Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs_CVE-2025-9804 - zero redgem","og_description":"{&#8220;lastseen&#8221;:&#8221;&#8221;,&#8221;description&#8221;:&#8221;An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs....","og_url":"https:\/\/zero.redgem.net\/?p=22054","og_site_name":"zero redgem","article_published_time":"2025-10-16T08:29:42+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=22054#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=22054"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs_CVE-2025-9804","datePublished":"2025-10-16T08:29:42+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=22054"},"wordCount":1491,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.6","exploit","news","Security","tapic","Vulnerability"],"articleSection":["category_cve"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=22054#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=22054","url":"https:\/\/zero.redgem.net\/?p=22054","name":"Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs_CVE-2025-9804 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-10-16T08:29:42+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=22054#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=22054"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=22054#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs_CVE-2025-9804"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/22054","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=22054"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/22054\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=22054"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=22054"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=22054"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}