A critical vulnerability has been identified in multiple WSO2 products, assigned CVE-2025-10611, with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to bypass security controls on certain REST APIs, potentially leading to unauthorized access to sensitive data, system modification, or complete service compromise. Immediate patching is required to mitigate the significant risk posed to the organization's data and infrastructure.

This vulnerability is caused by an insufficient access control implementation within the REST API framework of affected WSO2 products. An unauthenticated, remote attacker can craft a specialized HTTP request targeting vulnerable API endpoints. Due to the flaw, the system fails to properly enforce authentication and authorization checks for these requests, granting the attacker direct access to the API's functionality. Successful exploitation allows an attacker to invoke privileged operations, potentially leading to unauthorized data access, modification, deletion, or execution of administrative functions.

With a critical severity rating and a CVSS score of 9.8, this vulnerability poses a severe and direct threat to the business. Successful exploitation could result in a complete compromise of the affected WSO2 instance, leading to a major data breach of sensitive corporate or customer information, service disruption, and unauthorized system modifications. The potential consequences include significant financial losses, severe reputational damage, and possible regulatory fines for non-compliance with data protection standards.

Immediate Action: Update all affected WSO2 products to the latest patched version as recommended by the vendor. Prioritize patching for all internet-facing systems. After patching, monitor for any signs of exploitation attempts and conduct a thorough review of historical access logs for any indicators of compromise preceding the update.

Proactive Monitoring: Security teams should implement enhanced monitoring of API access logs for anomalous requests, particularly those directed at sensitive endpoints that lack proper authentication tokens or originate from untrusted IP addresses. Configure alerts for unusual patterns, such as a high volume of requests to a specific API or access from geographically unexpected locations.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk. Deploy a Web Application Firewall (WAF) with strict rules to inspect and block malformed or unauthorized requests targeting the vulnerable API endpoints. Furthermore, restrict network access to the affected APIs at the network firewall level, permitting connections only from trusted, internal IP ranges until patches can be applied.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability must be addressed as the highest priority. All organizations utilizing affected WSO2 products are strongly urged to apply the vendor-supplied patches immediately to prevent potential compromise. Although this CVE is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion and an attractive target for threat actors. Proactive and immediate remediation is the most effective strategy to safeguard organizational assets.