CVE-2025-5605

EUVD-2025-35828
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.

The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
WSO2CNA
4.3 MEDIUM
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 91%
Affected Products (NVD)
VendorProductVersion
wso2api_control_plane
4.5.0
wso2api_manager
3.1.0
wso2api_manager
3.2.0
wso2api_manager
3.2.1
wso2api_manager
4.0.0
wso2api_manager
4.1.0
wso2api_manager
4.2.0
wso2api_manager
4.3.0
wso2api_manager
4.4.0
wso2api_manager
4.5.0
wso2enterprise_integrator
6.6.0
wso2identity_server
5.10.0
wso2identity_server
5.11.0
wso2identity_server
6.0.0
wso2identity_server
6.1.0
wso2identity_server
7.0.0
wso2identity_server
7.1.0
wso2identity_server_as_key_manager
5.10.0
wso2open_banking_am
2.0.0
wso2open_banking_iam
2.0.0
wso2traffic_manager
4.5.0
wso2universal_gateway
4.5.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/