Cyber Resilience

CVE-2025-8325

Medium

Published: 11 May 2026

Published
11 May 2026
Modified
27 May 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0017 7.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-8325 is a medium-severity Improper Preservation of Permissions (CWE-281) vulnerability in Wso2 Api Manager. Its CVSS base score is 6.3 (Medium).

Operationally, ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM…

more

3.x versions. A malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could lead to unintended behavior or misuse, particularly in production environments.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

Affected Assets

wso2
api control plane
4.5.0 — 4.5.0.18
wso2
api manager
3.2.0 — 3.2.0.435 · 3.2.1 — 3.2.1.55 · 4.0.0 — 4.0.0.355
wso2
traffic manager
4.5.0 — 4.5.0.17
wso2
universal gateway
4.5.0 — 4.5.0.17

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-281

Forces removal or modification of permissions no longer required after reassignment, preventing improper preservation of old access rights.

References