CVE-2024-7097 is an authorization vulnerability found in multiple versions (1.3.0, 1.4.0, 1.5.0, and 2.0.0) of the WSO2 Open Banking Access Management (AM) product. The flaw resides in the SOAP admin service, which incorrectly enforces authorization checks related to user account creation. Specifically, the vulnerability allows attackers to create new user accounts regardless of the self-registration configuration settings, effectively bypassing intended access controls. This means that an unauthenticated attacker can create multiple low-privileged user accounts without proper authorization. While these accounts may have limited privileges, the unauthorized creation of accounts can lead to unauthorized access to the system's resources and potentially facilitate further attacks or reconnaissance. Additionally, if exploited at scale, the vulnerability could be used to exhaust system resources by mass creation of user accounts, potentially leading to denial of service conditions. The vulnerability is classified under CWE-863 (Incorrect Authorization), indicating a failure to properly restrict access to sensitive functionality. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is adjacent network (AV:A), no privileges required (PR:N), no user interaction (UI:N), and the impact is limited to integrity (I:L) with no confidentiality or availability impact. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that organizations using affected versions should prioritize mitigation and monitoring. The vulnerability is particularly relevant to organizations using WSO2 Open Banking AM for identity and access management in financial services, where unauthorized account creation could undermine trust and regulatory compliance.

For European organizations, especially those in the financial sector leveraging WSO2 Open Banking AM, this vulnerability poses a risk of unauthorized access through the creation of illegitimate user accounts. Although the accounts are low-privileged, they could be used for lateral movement, reconnaissance, or as a foothold for further exploitation. The ability to create multiple accounts without authorization could also lead to resource exhaustion, potentially disrupting service availability. This is particularly concerning for banks and financial institutions subject to strict regulatory requirements such as PSD2 and GDPR, where unauthorized access and data integrity issues can lead to compliance violations, reputational damage, and financial penalties. Additionally, the vulnerability could be exploited to bypass self-registration controls, undermining customer onboarding processes and potentially enabling fraud or identity misuse. The medium severity rating suggests that while the immediate impact on confidentiality and availability is limited, the integrity and trustworthiness of the system are compromised, which is critical in the financial domain.

Given the absence of an official patch, European organizations should implement the following specific mitigations: 1) Restrict network access to the SOAP admin service to trusted internal IP ranges only, using firewall rules or network segmentation to prevent external or unauthorized access. 2) Implement strict monitoring and alerting on user account creation events, focusing on unusual spikes or patterns indicative of mass account creation attempts. 3) Enforce additional application-layer authorization checks where possible, such as integrating with external identity governance tools to validate account creation requests. 4) Temporarily disable or limit self-registration features if feasible until a patch is available. 5) Conduct regular audits of user accounts to identify and remove unauthorized or suspicious accounts promptly. 6) Engage with WSO2 support or community channels to obtain updates on patches or workarounds. 7) Employ rate limiting or throttling mechanisms on the SOAP admin service endpoints to mitigate resource exhaustion risks. These targeted actions go beyond generic advice by focusing on access control hardening, monitoring, and operational controls specific to the vulnerability's exploitation vector.