Authentication Bypass in WSO2 Management Console
CVE-2025-5605

4.3MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Identity Server; Wso2 Enterprise Integrator; Wso2 Universal Gateway; Wso2 Traffic Manager
Vendor: CVE Published:; 24 October 2025

What is CVE-2025-5605?

An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. This issue allows an unauthorized actor to manipulate request URIs, circumventing authentication processes and gaining access to restricted resources. While full account compromise is not possible, this vulnerability does enable access to sensitive internal information, such as memory statistics, which could pose risks to system integrity.

Affected Version(s)

org.wso2.carbon:org.wso2.carbon.ui 4.5.3 < 4.5.3.40

org.wso2.carbon:org.wso2.carbon.ui 4.6.0 < 4.6.0.1224

org.wso2.carbon:org.wso2.carbon.ui 4.6.1 < 4.6.1.150

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 24, 2025
Vulnerability Reserved
Jun 4, 2025

Credit

Noël Maccary

JSON

Wso2

What is CVE-2025-5605?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline

Credit