Critical WSO2 SOAP account takeover flaw enables password reset for any user
Take action: If you're using WSO2 products, make sure to immediately restrict access to the /services SOAP admin endpoints from untrusted networks and internet to prevent attackers from resetting any user's password. Then apply WSO2's official security patches through their update mechanism. If you can't update, review and apply the mitigation script.
Learn More
WSO2 has patched a critical security vulnerability affecting multiple enterprise products that allows malicious actors to reset passwords for any user account, potentially leading to complete system compromise.
WSO2 is an open-source middleware platform that provides software solutions for application development, API management, and identity and access management
The vulnerability is tracked as CVE-2024-6914 (CVSS score 9.8) and stems from an incorrect authorization flaw in the account recovery SOAP admin service, targeting endpoints exposed through the /services context path. Attackers can craft malicious requests to trigger unauthorized password reset functionality.
The vulnerability impacts a whole range of WSO2 products across multiple versions, including:
- WSO2 API Manager versions 2.2.0 through 4.3.0,
- WSO2 Identity Server versions 5.3.0 through 7.0.0,
- WSO2 Identity Server as Key Manager versions 5.3.0 through 5.10.0,
- various WSO2 Open Banking products from versions 1.3.0 through 2.0.0.
Organizations using affected WSO2 products should restrict access to SOAP admin services from untrusted network and then patch. WSO2 has released security patches addressing this vulnerability through their official update mechanism. WSO2 customers with support subscriptions can apply fixes through WSO2 Updates.
The company has also provided a temporary mitigation script for immediate deployment while permanent fixes are being applied.
