// For flags

CVE-2024-6914

Incorrect Authorization in Multiple WSO2 Products via Account Recovery SOAP Admin Service Leading to Account Takeover

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account takeover, including accounts with elevated privileges. This vulnerability is exploitable only through the account recovery SOAP admin services exposed via the "/services" context path in affected products. The impact may be reduced if access to these endpoints has been restricted based on the "Security Guidelines for Production Deployment" by disabling exposure to untrusted networks.

This vulnerability allows remote attackers to bypass authentication on affected installations of WSO2 API Manager. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of the user self-registration process. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to bypass authentication on the system.

*Credits: Anonymous working with Trend Micro Zero Day Initiative
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-07-19 CVE Reserved
  • 2024-12-30 CVE Published
  • 2025-05-22 CVE Updated
  • 2025-06-23 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-863: Incorrect Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
WSO2
Search vendor "WSO2"
WSO2 API Manager
Search vendor "WSO2" for product "WSO2 API Manager"
>= 2.2.0.0 < 2.2.0.55
Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 2.2.0.0 < 2.2.0.55"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 API Manager
Search vendor "WSO2" for product "WSO2 API Manager"
>= 2.5.0.0 < 2.5.0.82
Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 2.5.0.0 < 2.5.0.82"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 API Manager
Search vendor "WSO2" for product "WSO2 API Manager"
>= 2.6.0.0 < 2.6.0.141
Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 2.6.0.0 < 2.6.0.141"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 API Manager
Search vendor "WSO2" for product "WSO2 API Manager"
>= 3.0.0.0 < 3.0.0.161
Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 3.0.0.0 < 3.0.0.161"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 API Manager
Search vendor "WSO2" for product "WSO2 API Manager"
>= 3.1.0.0 < 3.1.0.292
Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 3.1.0.0 < 3.1.0.292"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 API Manager
Search vendor "WSO2" for product "WSO2 API Manager"
>= 3.2.0.0 < 3.2.0.382
Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 3.2.0.0 < 3.2.0.382"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 API Manager
Search vendor "WSO2" for product "WSO2 API Manager"
>= 3.2.1.0 < 3.2.1.14
Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 3.2.1.0 < 3.2.1.14"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 API Manager
Search vendor "WSO2" for product "WSO2 API Manager"
>= 4.0.0.0 < 4.0.0.304
Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 4.0.0.0 < 4.0.0.304"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 API Manager
Search vendor "WSO2" for product "WSO2 API Manager"
>= 4.1.0.0 < 4.1.0.164
Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 4.1.0.0 < 4.1.0.164"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 API Manager
Search vendor "WSO2" for product "WSO2 API Manager"
>= 4.2.0.0 < 4.2.0.99
Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 4.2.0.0 < 4.2.0.99"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 API Manager
Search vendor "WSO2" for product "WSO2 API Manager"
>= 4.3.0.0 < 4.3.0.15
Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 4.3.0.0 < 4.3.0.15"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Governance Registry
Search vendor "WSO2" for product "WSO2 Governance Registry"
>= 5.4.0.0 < 5.4.0.14
Search vendor "WSO2" for product "WSO2 Governance Registry" and version " >= 5.4.0.0 < 5.4.0.14"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server
Search vendor "WSO2" for product "WSO2 Identity Server"
>= 5.3.0.0 < 5.3.0.31
Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.3.0.0 < 5.3.0.31"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server
Search vendor "WSO2" for product "WSO2 Identity Server"
>= 5.4.0.0 < 5.4.0.30
Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.4.0.0 < 5.4.0.30"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server
Search vendor "WSO2" for product "WSO2 Identity Server"
>= 5.4.1.0 < 5.4.1.35
Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.4.1.0 < 5.4.1.35"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server
Search vendor "WSO2" for product "WSO2 Identity Server"
>= 5.5.0.0 < 5.5.0.48
Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.5.0.0 < 5.5.0.48"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server
Search vendor "WSO2" for product "WSO2 Identity Server"
>= 5.6.0.0 < 5.6.0.56
Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.6.0.0 < 5.6.0.56"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server
Search vendor "WSO2" for product "WSO2 Identity Server"
>= 5.7.0.0 < 5.7.0.122
Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.7.0.0 < 5.7.0.122"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server
Search vendor "WSO2" for product "WSO2 Identity Server"
>= 5.8.0.0 < 5.8.0.104
Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.8.0.0 < 5.8.0.104"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server
Search vendor "WSO2" for product "WSO2 Identity Server"
>= 5.9.0.0 < 5.9.0.155
Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.9.0.0 < 5.9.0.155"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server
Search vendor "WSO2" for product "WSO2 Identity Server"
>= 5.10.0.0 < 5.10.0.317
Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.10.0.0 < 5.10.0.317"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server
Search vendor "WSO2" for product "WSO2 Identity Server"
>= 5.11.0.0 < 5.11.0.363
Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.11.0.0 < 5.11.0.363"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server
Search vendor "WSO2" for product "WSO2 Identity Server"
>= 6.0.0.0 < 6.0.0.207
Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 6.0.0.0 < 6.0.0.207"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server
Search vendor "WSO2" for product "WSO2 Identity Server"
>= 6.1.0.0 < 6.1.0.184
Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 6.1.0.0 < 6.1.0.184"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server
Search vendor "WSO2" for product "WSO2 Identity Server"
>= 7.0.0.0 < 7.0.0.56
Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 7.0.0.0 < 7.0.0.56"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server As Key Manager
Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager"
>= 5.3.0.0 < 5.3.0.36
Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" and version " >= 5.3.0.0 < 5.3.0.36"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server As Key Manager
Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager"
>= 5.5.0.0 < 5.5.0.49
Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" and version " >= 5.5.0.0 < 5.5.0.49"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server As Key Manager
Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager"
>= 5.6.0.0 < 5.6.0.70
Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" and version " >= 5.6.0.0 < 5.6.0.70"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server As Key Manager
Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager"
>= 5.7.0.0 < 5.7.0.121
Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" and version " >= 5.7.0.0 < 5.7.0.121"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server As Key Manager
Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager"
>= 5.9.0.0 < 5.9.0.162
Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" and version " >= 5.9.0.0 < 5.9.0.162"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Identity Server As Key Manager
Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager"
>= 5.10.0.0 < 5.10.0.311
Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" and version " >= 5.10.0.0 < 5.10.0.311"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 IoT
Search vendor "WSO2" for product "WSO2 IoT"
>= 3.3.0.0 < 3.3.0.59
Search vendor "WSO2" for product "WSO2 IoT" and version " >= 3.3.0.0 < 3.3.0.59"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 IoT
Search vendor "WSO2" for product "WSO2 IoT"
>= 3.3.1.0 < 3.3.1.61
Search vendor "WSO2" for product "WSO2 IoT" and version " >= 3.3.1.0 < 3.3.1.61"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Open Banking AM
Search vendor "WSO2" for product "WSO2 Open Banking AM"
>= 1.3.0.0 < 1.3.0.130
Search vendor "WSO2" for product "WSO2 Open Banking AM" and version " >= 1.3.0.0 < 1.3.0.130"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Open Banking AM
Search vendor "WSO2" for product "WSO2 Open Banking AM"
>= 1.4.0.0 < 1.4.0.133
Search vendor "WSO2" for product "WSO2 Open Banking AM" and version " >= 1.4.0.0 < 1.4.0.133"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Open Banking AM
Search vendor "WSO2" for product "WSO2 Open Banking AM"
>= 1.5.0.0 < 1.5.0.135
Search vendor "WSO2" for product "WSO2 Open Banking AM" and version " >= 1.5.0.0 < 1.5.0.135"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Open Banking AM
Search vendor "WSO2" for product "WSO2 Open Banking AM"
>= 2.0.0.0 < 2.0.0.341
Search vendor "WSO2" for product "WSO2 Open Banking AM" and version " >= 2.0.0.0 < 2.0.0.341"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Open Banking KM
Search vendor "WSO2" for product "WSO2 Open Banking KM"
>= 1.3.0.0 < 1.3.0.113
Search vendor "WSO2" for product "WSO2 Open Banking KM" and version " >= 1.3.0.0 < 1.3.0.113"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Open Banking KM
Search vendor "WSO2" for product "WSO2 Open Banking KM"
>= 1.4.0.0 < 1.4.0.129
Search vendor "WSO2" for product "WSO2 Open Banking KM" and version " >= 1.4.0.0 < 1.4.0.129"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Open Banking KM
Search vendor "WSO2" for product "WSO2 Open Banking KM"
>= 1.5.0.0 < 1.5.0.119
Search vendor "WSO2" for product "WSO2 Open Banking KM" and version " >= 1.5.0.0 < 1.5.0.119"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Open Banking IAM
Search vendor "WSO2" for product "WSO2 Open Banking IAM"
>= 2.0.0.0 < 2.0.0.362
Search vendor "WSO2" for product "WSO2 Open Banking IAM" and version " >= 2.0.0.0 < 2.0.0.362"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 5.7.5.0 < 5.7.5.9
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.7.5.0 < 5.7.5.9"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 5.10.86.0 < 5.10.86.4
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.10.86.0 < 5.10.86.4"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 5.10.112.0 < 5.10.112.14
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.10.112.0 < 5.10.112.14"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 5.11.148.0 < 5.11.148.13
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.11.148.0 < 5.11.148.13"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 5.11.256.0 < 5.11.256.15
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.11.256.0 < 5.11.256.15"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 5.12.153.0 < 5.12.153.58
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.12.153.0 < 5.12.153.58"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 5.12.387.0 < 5.12.387.41
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.12.387.0 < 5.12.387.41"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 5.14.97.0 < 5.14.97.75
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.14.97.0 < 5.14.97.75"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 5.17.5.0 < 5.17.5.282
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.17.5.0 < 5.17.5.282"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 5.17.118.0 < 5.17.118.4
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.17.118.0 < 5.17.118.4"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 5.18.187.0 < 5.18.187.265
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.18.187.0 < 5.18.187.265"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 5.18.248.0 < 5.18.248.14
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.18.248.0 < 5.18.248.14"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 5.23.8.0 < 5.23.8.184
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.23.8.0 < 5.23.8.184"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 5.24.8.0 < 5.24.8.6
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.24.8.0 < 5.24.8.6"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 5.25.92.0 < 5.25.92.92
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.25.92.0 < 5.25.92.92"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 5.25.705.0 < 5.25.705.6
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.25.705.0 < 5.25.705.6"
en
Affected
WSO2
Search vendor "WSO2"
WSO2 Carbon Identity Management
Search vendor "WSO2" for product "WSO2 Carbon Identity Management"
>= 7.0.78.0 < 7.0.78.32
Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 7.0.78.0 < 7.0.78.32"
en
Affected