CVE-2025-10611
Published: 16 October 2025
Summary
CVE-2025-10611 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Wso2 Api Manager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-25 (Reference Monitor).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to information and system resources, directly preventing bypass of authentication and authorization checks on vulnerable REST APIs.
Authorizes access to system resources based on [organization-defined personnel or roles], addressing the incorrect authorization that enables unauthenticated administrative operations.
Implements a tamper-proof reference monitor that mediates all access decisions without bypass, comprehensively mitigating the insufficient access control implementation in WSO2 products.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote attackers to bypass authorization on public-facing REST APIs in WSO2 products, directly enabling exploitation of a public-facing application to gain administrative access.
NVD Description
Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious…
more
actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.
Deeper analysisAI
CVE-2025-10611 is a critical vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) published on 2025-10-16, associated with CWE-863 (Incorrect Authorization). It stems from an insufficient access control implementation in multiple WSO2 products, enabling attackers to bypass authentication and authorization checks for certain REST APIs and invoke them without proper validation.
The vulnerability can be exploited remotely by unauthenticated attackers requiring no privileges, low attack complexity, and no user interaction. Successful exploitation allows a malicious actor to gain administrative access and perform unauthenticated and unauthorized administrative operations.
Mitigation details are available in the WSO2 security advisory at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/.
Details
- CWE(s)