Authorization Flaw in WSO2 Products Allowing User Account Takeover
CVE-2024-6914

8.8HIGH

Key Information:

Vendor: Wso2
Status: Wso2 Api Manager; Wso2 Governance Registry; Wso2 Identity Server; Wso2 Identity Server As Key Manager
Vendor: CVE Published:; 22 May 2025

What is CVE-2024-6914?

An authorization flaw exists in various WSO2 products, stemming from a business logic error within the account recovery SOAP admin service. This vulnerability allows malicious actors to manipulate the account recovery process, enabling them to reset passwords for any user account. Such exploitation could lead to complete account takeover, including those accounts possessing elevated privileges. The exposure is primarily through the SOAP admin services available under the '/services' context path. Mitigation efforts, such as restricting access to these services in line with the provided security guidelines, can significantly reduce potential impacts.

Affected Version(s)

WSO2 API Manager 2.2.0 < 2.2.0.55

WSO2 API Manager 2.5.0 < 2.5.0.82

WSO2 API Manager 2.6.0 < 2.6.0.141

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

https://security.docs.wso2.com/en/latest/security-guideli...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2025
Vulnerability Reserved
Jul 19, 2024

Credit

Anonymous working with Trend Micro Zero Day Initiative

Wso2

What is CVE-2024-6914?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit