Multiple SOAP admin services in WSO2 products lack proper authorisation checks, allowing any authenticated user to invoke privileged administrative operations.
On WSO2 API Manager, the APIGatewayAdmin service is the most critical example. Its deployAPI operation accepts a Synapse API definition containing embedded Script Mediator code and deploys it to the gateway with no privilege validation. The Script Mediator is a known RCE vector that provides access to Java classes, allowing an attacker to embed java.lang.Runtime.getRuntime().exec() in a mediation sequence to execute arbitrary operating system commands. Once deployed to the gateway, the embedded code executes when the API is requested. (The class access controls introduced to mitigate this are bypassed in CVE-2025-11093.)
The same authorisation issue affects the APILocalEntryAdmin service, exposing an XXE vulnerability (CVE-2025-10713), and the APIKeyMgtSubscriberService service, which allows any authenticated user to create and modify OAuth 2.0 clients. This enables the same privilege escalation to administrative access as CVE-2025-9152: obtain a client secret, enable the client_credentials grant type, and request a token with apim:admin scope.
Since self-signup is enabled by default, unauthenticated attackers can create an account and immediately escalate to remote code execution.
This vulnerability was responsibly disclosed and has been patched by the vendor.