Improper Access Control Vulnerability in WSO2 Enterprise Integrator
CVE-2025-9955

5.7MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Enterprise Integrator; Wso2 Enterprise Service Bus; Org.wso2.carbon:org.wso2.carbon.base; Org.wso2.carbon:org.wso2.carbon.server.admin
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-9955?

A vulnerability has been identified in WSO2 Enterprise Integrator that arises from inadequate permission settings on internal SOAP admin services. This weakness allows low-privileged users to access sensitive information regarding system logs and user-store configurations, which should not be visible at their access level. Although the vulnerability does not expose credentials or sensitive user data, it may enable unauthorized users to gain insights into internal operational functions. This access could be leveraged for further exploitation or to gather reconnaissance information.

Affected Version(s)

org.wso2.carbon:org.wso2.carbon.base 4.4.8 < 4.4.8.7

org.wso2.carbon:org.wso2.carbon.base 4.4.14 < 4.4.14.5

org.wso2.carbon:org.wso2.carbon.base 4.4.16 < 4.4.16.9

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Sep 3, 2025

JSON

Wso2

What is CVE-2025-9955?

Affected Version(s)

References

CVSS V3.1

Timeline