WSO2 Account Takeover Vulnerability via SOAP Admin Service (CVSS 9.8) and Mitigation

Key Information Affected Products WS02 API Manager: 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0, 3.0.0, 2.6.0, 2.5.0, 2.2.0 WS02 Identity Server: 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0, 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, 5.4.1, 5.4.0, 5.3.0 WS02 Identity Server as Key Manager: 5.10.0, 5.9.0, 5.7.0, 5.6.0, 5.5.0, 5.3.0 WS02 Open Banking AM: 2.0.0, 1.5.0, 1.4.0, 1.3.0 WS02 Open Banking IAM: 2.0.0 WS02 Open Banking KM: 1.5.0, 1.4.0, 1.3.0 Overview Account takeover vulnerability via account recovery functionality associated with the SOAP Admin service. Description This vulnerability can only be exploited through the SOAP Admin service exposed in WSO2 products under the context path. If the security guidelines for production deployment are followed and access to these endpoints from untrusted networks is disabled, the impact is reduced. Successful exploitation of this vulnerability allows a malicious attacker to reset the password of any user account. This enables the attacker to take control of the targeted account, including accounts with elevated privileges such as admin users, posing a significant security risk. When security guidelines for production deployment are not followed and the context is exposed (worst case scenario): Severity: Critical CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:A/H) When security guidelines for production deployment are followed and the context is accessible only from trusted networks: Severity: High CVSS Score: 8.8 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:A/H) Solution You can apply the relevant fixes for your products based on the public patches. Alternatively, you can apply a temporary mitigation using the script provided below. Note that this temporary mitigation is fully effective in addressing the identified vulnerability. Fix Verification Refer to the "Verify Fix" section in the README file inside the file for verification steps.

Goal Reached Thanks to every supporter — we hit 100%!

WSO2 Account Takeover Vulnerability via SOAP Admin Service (CVSS 9.8) and Mitigation