Cyber Resilience

CVE-2025-10611

Critical

Published: 16 October 2025

Published
16 October 2025
Modified
21 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0017 38.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10611 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Wso2 Api Manager. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-25 (Reference Monitor).

Deeper analysis

CVE-2025-10611 is a critical vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) published on 2025-10-16, associated with CWE-863 (Incorrect Authorization). It stems from an insufficient access control implementation in multiple WSO2 products, enabling attackers to bypass authentication and authorization checks for certain REST APIs and invoke them without proper validation.

The vulnerability can be exploited remotely by unauthenticated attackers requiring no privileges, low attack complexity, and no user interaction. Successful exploitation allows a malicious actor to gain administrative access and perform unauthenticated and unauthorized administrative operations.

Mitigation details are available in the WSO2 security advisory at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/.

EU & UK References

Vulnerability details

Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious…

more

actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated remote attackers to bypass authorization on public-facing REST APIs in WSO2 products, directly enabling exploitation of a public-facing application to gain administrative access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-2374Same product: Wso2 Api Manager
CVE-2025-10713Same product: Wso2 Api Control Plane
CVE-2025-10907Same product: Wso2 Api Control Plane
CVE-2025-10908Same product: Wso2 Identity Server
CVE-2025-13590Same product: Wso2 Api Control Plane
CVE-2025-11093Same product: Wso2 Api Control Plane
CVE-2024-8010Same product: Wso2 Api Manager
CVE-2025-21565Shared CWE-863
CVE-2026-46823Shared CWE-863
CVE-2026-44260Shared CWE-863

Affected Assets

wso2
api control plane
4.5.0
wso2
api manager
2.1.0, 2.2.0, 2.5.0, 2.6.0, 3.0.0
wso2
identity server
5.10.0, 5.11.0, 5.3.0, 5.5.0, 5.6.0
wso2
identity server as key manager
5.10.0, 5.3.0, 5.5.0, 5.6.0, 5.7.0
wso2
open banking am
1.4.0, 1.5.0, 2.0.0
wso2
open banking iam
2.0.0
wso2
open banking km
1.4.0, 1.5.0
wso2
traffic manager
4.5.0
wso2
universal gateway
4.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to information and system resources, directly preventing bypass of authentication and authorization checks on vulnerable REST APIs.

prevent

Authorizes access to system resources based on [organization-defined personnel or roles], addressing the incorrect authorization that enables unauthenticated administrative operations.

prevent

Implements a tamper-proof reference monitor that mediates all access decisions without bypass, comprehensively mitigating the insufficient access control implementation in WSO2 products.

References