WSO2 EI Improper Access Control on Internal SOAP Admin Services
CVE-2025-9955 Published on October 16, 2025

Improper Access Control in WSO2 Enterprise Integrator Product via SOAP Admin Services for Logs and User-Store Configuration
An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details that are not intended to be exposed at that privilege level. While no credentials or sensitive user information are exposed, this vulnerability may allow unauthorized visibility into internal operational details, which could aid in further exploitation or reconnaissance.

Vendor Advisory NVD

Vulnerability Analysis

Attack Vector:

ADJACENT_NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

NONE

Availability Impact:

NONE

Weakness Type

What is an AuthZ Vulnerability?

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVE-2025-9955 has been classified to as an AuthZ vulnerability or weakness.

Products Associated with CVE-2025-9955

Want to know whenever a new CVE is published for Wso2 Enterprise Integrator? stack.watch will email you.

Wso2 Enterprise Integrator

Affected Versions

WSO2 Enterprise Integrator:

Before 6.0.0 is unknown.
Version 6.0.0 and below 6.0.0.22 is affected.
Version 6.1.0 and below 6.1.0.39 is affected.
Version 6.1.1 and below 6.1.1.43 is affected.
Version 6.2.0 and below 6.2.0.62 is affected.
Version 6.3.0 and below 6.3.0.70 is affected.
Version 6.4.0 and below 6.4.0.100 is affected.
Version 6.5.0 and below 6.5.0.107 is affected.
Version 6.6.0 and below 6.6.0.222 is affected.

WSO2 Enterprise Service Bus:

Before 5.0.0 is unknown.
Version 5.0.0 and below 5.0.0.29 is affected.

org.wso2.carbon:org.wso2.carbon.base:

Version 4.4.8 and below 4.4.8.7 is affected.
Version 4.4.14 and below 4.4.14.5 is affected.
Version 4.4.16 and below 4.4.16.9 is affected.
Version 4.4.26 and below 4.4.26.13 is affected.
Version 4.4.32 and below 4.4.32.16 is affected.
Version 4.4.36 and below 4.4.36.7 is affected.
Version 4.4.40 and below 4.4.40.37 is affected.
Version 4.5.3 and below 4.5.3.45 is affected.
Version 4.9 and below 4.9.29 is affected.
Version 4.10 and below 4.10.94 is affected.

org.wso2.carbon:org.wso2.carbon.server.admin:

Version 4.4.8 and below 4.4.8.7 is affected.
Version 4.4.14 and below 4.4.14.5 is affected.
Version 4.4.16 and below 4.4.16.9 is affected.
Version 4.4.26 and below 4.4.26.13 is affected.
Version 4.4.32 and below 4.4.32.16 is affected.
Version 4.4.36 and below 4.4.36.7 is affected.
Version 4.4.40 and below 4.4.40.37 is affected.
Version 4.5.3 and below 4.5.3.45 is affected.
Version 4.9 and below 4.9.29 is affected.
Version 4.10 and below 4.10.94 is affected.

Exploit Probability

EPSS

0.02%

Percentile

6.01%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

WSO2 EI Improper Access Control on Internal SOAP Admin ServicesCVE-2025-9955 Published on October 16, 2025

Vulnerability Analysis

Weakness Type

What is an AuthZ Vulnerability?

Products Associated with CVE-2025-9955

Affected Versions

Exploit Probability

WSO2 EI Improper Access Control on Internal SOAP Admin Services
CVE-2025-9955 Published on October 16, 2025