Improper Privilege Management in WSO2 API Manager
CVE-2025-9152

9.8CRITICAL

Key Information:

Vendor: Wso2
Status: Wso2 Api Manager; Wso2 Api Control Plane
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-9152?

A vulnerability has been identified in WSO2 API Manager that occurs due to insufficient authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. Exploitation of this flaw allows malicious users to generate access tokens with elevated privileges, which could result in unauthorized administrative access and the ability to execute unauthorized operations. Organizations utilizing WSO2 API Manager should assess the impact and implement necessary security measures to mitigate this risk.

Affected Version(s)

WSO2 API Control Plane 4.5.0 < 4.5.0.20

WSO2 API Manager 3.2.0 < 3.2.0.437

WSO2 API Manager 3.2.1 < 3.2.1.57

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Aug 19, 2025

Credit

crnković

JSON

Wso2

What is CVE-2025-9152?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit