CVE-2025-5605

Description

An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure. The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.

CVSS breakdown

Affected products

• WSO2 / org.wso2.carbon:org.wso2.carbon.ui4.6.0 – 4.6.0.1224
• WSO2 / org.wso2.carbon:org.wso2.carbon.ui4.6.1 – 4.6.1.150
• WSO2 / org.wso2.carbon:org.wso2.carbon.ui4.6.2 – 4.6.2.664
• WSO2 / org.wso2.carbon:org.wso2.carbon.ui4.6.3 – 4.6.3.32
• WSO2 / org.wso2.carbon:org.wso2.carbon.ui4.6.4 – 4.6.4.8
• WSO2 / org.wso2.carbon:org.wso2.carbon.ui4.7.1 – 4.7.1.69
• WSO2 / org.wso2.carbon:org.wso2.carbon.ui4.8.1 – 4.8.1.33
• WSO2 / org.wso2.carbon:org.wso2.carbon.ui4.10.90 – *
• WSO2 / org.wso2.carbon:org.wso2.carbon.ui4.9.29 – 4.9.*
• WSO2 / org.wso2.carbon:org.wso2.carbon.ui4.10.42 – 4.10.42.10
• WSO2 / org.wso2.carbon:org.wso2.carbon.ui4.10.9 – 4.10.9.68
• WSO2 / org.wso2.carbon:org.wso2.carbon.ui4.9.28 – 4.9.28.4
• WSO2 / org.wso2.carbon:org.wso2.carbon.ui4.9.27 – 4.9.27.4
• WSO2 / org.wso2.carbon:org.wso2.carbon.ui4.9.26 – 4.9.26.20
• WSO2 / org.wso2.carbon:org.wso2.carbon.ui4.9.0 – 4.9.0.100
• WSO2 / org.wso2.carbon:org.wso2.carbon.ui4.5.3 – 4.5.3.40
• WSO2 / WSO2 API Control Plane4.5.0 – 4.5.0.11
• WSO2 / WSO2 API Manager4.2.0 – 4.2.0.148
• WSO2 / WSO2 API Manager4.3.0 – 4.3.0.61
• WSO2 / WSO2 API Manager4.4.0 – 4.4.0.24
• WSO2 / WSO2 API Manager4.0.0 – 4.0.0.346
• WSO2 / WSO2 API Manager3.2.1 – 3.2.1.48
• WSO2 / WSO2 API Manager4.1.0 – 4.1.0.210
• WSO2 / WSO2 API Manager4.5.0 – 4.5.0.10
• WSO2 / WSO2 API Manager0 – 3.1.0
• WSO2 / WSO2 API Manager3.1.0 – 3.1.0.334
• WSO2 / WSO2 API Manager3.2.0 – 3.2.0.430
• WSO2 / WSO2 Enterprise Integrator6.6.0 – 6.6.0.217
• WSO2 / WSO2 Enterprise Integrator0 – 6.6.0
• WSO2 / WSO2 Identity Server0 – 5.10.0
• WSO2 / WSO2 Identity Server5.10.0 – 5.10.0.361
• WSO2 / WSO2 Identity Server5.11.0 – 5.11.0.414
• WSO2 / WSO2 Identity Server6.0.0 – 6.0.0.245
• WSO2 / WSO2 Identity Server6.1.0 – 6.1.0.244
• WSO2 / WSO2 Identity Server7.0.0 – 7.0.0.119
• WSO2 / WSO2 Identity Server7.1.0 – 7.1.0.25
• WSO2 / WSO2 Identity Server as Key Manager5.10.0 – 5.10.0.354
• WSO2 / WSO2 Identity Server as Key Manager0 – 5.10.0
• WSO2 / WSO2 Open Banking AM2.0.0 – 2.0.0.382
• WSO2 / WSO2 Open Banking AM0 – 2.0.0
• WSO2 / WSO2 Open Banking IAM2.0.0 – 2.0.0.403
• WSO2 / WSO2 Open Banking IAM0 – 2.0.0
• WSO2 / WSO2 Traffic Manager4.5.0 – 4.5.0.10
• WSO2 / WSO2 Universal Gateway4.5.0 – 4.5.0.10

Exploits & proofs of concept

• nucleiWSO2 Management Console - Authentication Bypassby DhiyaneshDK

References

• VENDOR_ADVISORYhttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/