A major security flaw in several WSO2 products allows attackers to reset the password of any user account, including administrative ones. This could lead to full control over affected systems.
The flaw, identified as CVE-2024-6914, was disclosed on May 22, 2025. It has been assigned a critical severity score of 9.8 out of 10 on the CVSS scale.
How the Vulnerability Works
The issue comes from an authorization flaw in WSO2’s account recovery SOAP admin service. It allows attackers to bypass security checks and reset passwords for any user. No login credentials are needed to exploit this bug.
Attackers can use SOAP requests to target specific endpoints under the /services path. These endpoints are part of the account recovery framework and were not properly secured.
Security Classification
The flaw is categorized as CWE-863: Incorrect Authorization. It can be exploited remotely, without any user interaction or prior access. This makes it especially dangerous for organizations that expose WSO2 services to the internet.
Risks and Impact
If exploited, the vulnerability allows complete takeover of user accounts. This includes accounts with admin privileges, putting entire systems at risk.
The Zero Day Initiative classified it as an “Exposed Dangerous Function Authentication Bypass Vulnerability.” It highlights the exposure of unsafe functions during user self-registration.
Affected Products
- WSO2 API Manager: 2.2.0 to 4.3.0
- WSO2 Identity Server: 5.3.0 to 7.0.0
- WSO2 Identity Server as Key Manager: 5.3.0 to 5.10.0
- WSO2 Open Banking AM/IAM/KM: 1.3.0 to 2.0.0
These products are widely used in enterprise environments, which increases the risk and potential impact of the vulnerability.
Attack Method
Attackers send crafted SOAP requests to the vulnerable /services endpoint. These requests trigger unauthorized password resets without any need for user credentials.
The CVSS vector confirms the ease of exploitation: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Mitigation and Recommendations
Organizations using affected WSO2 products should act quickly to reduce risk. Key steps include:
- Restrict access to SOAP admin endpoints from untrusted networks.
- Follow WSO2’s “Security Guidelines for Production Deployment.”
- Disable public access to the
/servicescontext path. - Implement network-level access controls.
- Monitor logs for unauthorized password reset attempts.
- Strengthen internal authorization checks.
Applying these security measures can reduce the CVSS score from 9.8 to 8.8, but the threat remains serious.
Patch Availability
WSO2 has released patches to address the vulnerability. All users are urged to apply these updates immediately.
Security researchers have released proof-of-concept exploit code. The flaw is also appearing in threat intelligence feeds, which increases the risk of real-world attacks.
For more details, refer to WSO2’s official security advisory and apply the recommended mitigation steps without delay.
