A critical vulnerability has been identified in multiple WSO2 products that allows for a complete bypass of authentication. The flaw exists in the mutual TLS (mTLS) implementation for system-level APIs, permitting an unauthenticated attacker with network access to gain full administrative control over the affected systems. Successful exploitation could lead to data theft, service disruption, and complete system compromise.

The vulnerability is a missing authentication enforcement flaw within the mutual TLS (mTLS) implementation for System REST APIs and SOAP services. In specific default configurations, the system fails to properly validate client certificate-based authentication. An attacker with network access to the vulnerable endpoints can send requests without providing any valid authentication credentials, and the system will improperly process them as if they were authenticated. This allows the attacker to bypass access controls entirely, granting them administrative privileges to perform unauthorized operations on the affected WSO2 product.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the potential for complete system compromise. Successful exploitation would allow an attacker to gain administrative control, leading to severe consequences such as unauthorized access to sensitive data, modification or deletion of critical system configurations, and full service disruption. The business risks include significant data breaches, reputational damage, financial loss from operational downtime, and the potential for the compromised system to be used as a pivot point for further attacks within the corporate network.

Immediate Action: Update affected WSO2 products to the latest patched version as recommended by the vendor. After applying the update, it is critical to monitor for any signs of exploitation attempts and thoroughly review historical access logs for suspicious activity targeting the System REST APIs or SOAP services.

Proactive Monitoring: Security teams should actively monitor access logs for the affected administrative endpoints. Specifically, look for successful requests originating from unknown or untrusted IP addresses. Network traffic should be analyzed for unusual patterns or direct connections to these system-level interfaces that do not conform to expected administrative activity.

Compensating Controls: If patching cannot be performed immediately, implement strict network segmentation to limit access to the affected endpoints. Use a firewall or network access control list (ACL) to ensure that only trusted, whitelisted IP addresses (such as administrative workstations or jump boxes) can communicate with the vulnerable System REST APIs and SOAP services.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability represents a severe and immediate risk to the organization. We strongly recommend that all affected WSO2 product instances be patched immediately without delay. Although this CVE is not currently listed on the CISA KEV list, its high impact makes it a prime candidate for future inclusion. Prioritize this patching effort to prevent a complete and potentially devastating system compromise.