CVE-2025-9804 is an improper access control vulnerability identified in multiple versions of WSO2 Identity Server when used as a Key Manager (versions 5.3.0 through 5.10.0). The flaw arises from insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs, which are intended for administrative use only. This weakness allows a low-privileged user—without authentication or user interaction—to perform unauthorized operations, including accessing sensitive server-level information that should be restricted. The vulnerability specifically targets internal administrative interfaces and does not affect the APIs exposed through the WSO2 API Manager's API Gateway, which remain secure. The vulnerability is classified under CWE-284 (Improper Access Control) and has a CVSS v3.1 base score of 9.6, indicating critical severity. The attack vector is adjacent network (AV:A), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. Confidentiality, integrity, and availability impacts are all rated high, highlighting the potential for significant damage if exploited. Although no known exploits are currently reported in the wild, the critical nature of the flaw and the broad range of affected versions necessitate urgent attention. The vulnerability was publicly disclosed on October 16, 2025, with the initial reservation on September 1, 2025. No patches were listed at the time of disclosure, indicating that organizations must monitor vendor updates closely. The vulnerability is particularly concerning for environments where WSO2 Identity Server is deployed as a key management solution, as unauthorized access to administrative interfaces could lead to compromise of cryptographic keys, identity data, and overall system control.

For European organizations, the impact of CVE-2025-9804 is significant due to the critical role WSO2 Identity Server plays in identity and access management, especially when used as a Key Manager. Exploitation could lead to unauthorized disclosure of sensitive identity and cryptographic key information, potentially enabling further attacks such as privilege escalation, data breaches, or disruption of authentication services. This could severely affect confidentiality, integrity, and availability of critical systems. Organizations in regulated sectors such as finance, healthcare, and government are particularly vulnerable due to stringent data protection requirements under GDPR and other regulations. The ability for an unauthenticated, low-privileged attacker to access internal administrative interfaces increases the risk of insider threats or lateral movement within networks. The lack of user interaction and low complexity of exploitation further heighten the threat. Disruption or compromise of identity management infrastructure could lead to widespread operational impacts, including denial of service to users and loss of trust in authentication mechanisms. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the critical severity score demands immediate action.

1. Immediately restrict network access to internal SOAP Admin Services and System REST APIs to trusted administrative hosts only, using network segmentation, firewalls, and access control lists. 2. Implement strict authentication and authorization controls on all internal administrative interfaces, ensuring that only authorized personnel can access these services. 3. Monitor internal API usage logs for anomalous or unauthorized access attempts, employing SIEM solutions to detect suspicious activity early. 4. Apply vendor-provided patches or updates as soon as they become available; if no patches are currently released, engage with WSO2 support for recommended interim mitigations. 5. Conduct a thorough audit of existing deployments to identify exposed internal interfaces and remediate any misconfigurations. 6. Employ multi-factor authentication (MFA) for administrative access where possible to add an additional security layer. 7. Educate internal teams about the risks of exposing administrative interfaces and enforce strict operational security policies. 8. Consider deploying Web Application Firewalls (WAFs) or API gateways with advanced access control capabilities to filter and block unauthorized internal API calls. 9. Regularly review and update access permissions and roles to minimize the attack surface. 10. Prepare incident response plans specific to identity management compromise scenarios to enable rapid containment and recovery.