A critical improper access control vulnerability has been identified in multiple WSO2 products, assigned a CVSS score of 9.6. This flaw allows a low-privileged user to bypass security restrictions and perform unauthorized administrative actions via internal APIs. Successful exploitation could lead to a complete compromise of the affected systems, posing a significant risk to data confidentiality, integrity, and availability.

The vulnerability stems from insufficient permission enforcement within certain internal SOAP Admin Services and System REST APIs. An authenticated but low-privileged attacker can craft and send malicious requests to these specific API endpoints. Because the system fails to properly validate the user's permissions, it processes these requests as if they came from a privileged administrator, allowing the attacker to perform high-level actions such as creating new administrative accounts, modifying configurations, or accessing sensitive data.

This vulnerability is rated as critical severity with a CVSS score of 9.6, indicating a high potential for significant business disruption. Exploitation could grant an attacker full administrative control over the WSO2 platform, leading to severe consequences such as a major data breach, manipulation of critical business logic, or complete service outages. The risk extends to all systems and applications integrated with the WSO2 products, potentially compromising sensitive customer data, intellectual property, and operational stability.

Immediate Action: The primary recommendation is to update all affected WSO2 products to the latest version as specified by the vendor's security advisory. After patching, it is crucial to monitor for any signs of exploitation attempts and review access logs for suspicious activity that occurred prior to the update.

Proactive Monitoring: Organizations should actively monitor for anomalous activity targeting the affected API endpoints. Specifically, look for unexpected or unauthorized calls to internal SOAP Admin Services and System REST APIs, particularly from low-privileged user accounts. Implement alerts for the creation of new administrative users or significant configuration changes originating from unusual sources.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the attack surface. Restrict network access to the management interfaces and internal APIs, allowing connections only from a trusted administrative jump host or specific IP addresses. Additionally, a Web Application Firewall (WAF) can be configured with rules to block malicious requests targeting the vulnerable API endpoints.

Public Exploit Available: false

Given the critical severity (CVSS 9.6) of this vulnerability, immediate action is required. Successful exploitation could grant a low-privileged attacker full administrative control, leading to a complete system compromise. Although this vulnerability is not currently listed on the CISA KEV catalog, its high impact score makes it a prime candidate for future inclusion. Organizations are strongly advised to prioritize patching all affected WSO2 products without delay to mitigate the significant risk of data breach and service disruption.