CVE-2025-6670 is a Cross-Site Request Forgery (CSRF) vulnerability identified in multiple WSO2 products, including WSO2 Open Banking AM. The root cause is the use of HTTP GET methods for operations that change state within administrative services, specifically in the event processor component of the Carbon console. Normally, CSRF attacks exploit the ability of an attacker to induce an authenticated user’s browser to send unauthorized requests. While WSO2 employs the SameSite=Lax cookie attribute to mitigate CSRF risks, this attribute does not block cookies from being sent on cross-origin top-level navigations via GET requests, leaving the system vulnerable. An attacker can craft a malicious URL that, when visited by an authenticated administrator, triggers unintended state-changing actions such as modifying data or altering account configurations. This vulnerability does not require the attacker to have prior authentication or elevated privileges, but it does require the victim to interact with a malicious link. WSO2’s Secure Production Guidelines advise against exposing Carbon console services to untrusted networks, which can reduce the attack surface. The vulnerability has a CVSS 3.1 score of 8.8, indicating a high severity with network attack vector, low attack complexity, no privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the potential impact on critical administrative functions is significant.

For European organizations using WSO2 Open Banking AM or related WSO2 products, this vulnerability poses a serious risk. Successful exploitation could lead to unauthorized administrative actions, including data tampering, unauthorized account changes, or disruption of banking services. Given the critical role of Open Banking AM in managing authentication and authorization in financial services, exploitation could compromise customer data confidentiality and integrity, potentially violating GDPR and other regulatory requirements. The availability of services could also be impacted if administrative functions are disrupted. Since the vulnerability requires user interaction, phishing or social engineering campaigns targeting administrators could be an effective attack vector. Organizations that expose Carbon console services to external or untrusted networks are at higher risk. The financial sector in Europe is highly regulated and targeted, so the impact could extend to reputational damage, regulatory fines, and operational disruptions.

European organizations should immediately review their deployment of WSO2 products, particularly Open Banking AM, to ensure that Carbon console administrative services are not exposed to untrusted networks or the public internet. Network segmentation and strict firewall rules should be enforced to restrict access to these services only to trusted internal IPs. Administrators should be trained to recognize phishing attempts and avoid clicking on suspicious links. WSO2 should be contacted for patches or updates addressing this vulnerability; if none are available, consider implementing additional CSRF protections such as requiring POST methods with anti-CSRF tokens for state-changing operations. Web Application Firewalls (WAFs) can be configured to detect and block suspicious GET requests to admin endpoints. Monitoring and logging of administrative actions should be enhanced to detect anomalous activities promptly. Finally, organizations should review cookie settings and consider additional security headers or mechanisms to mitigate CSRF risks beyond SameSite=Lax.