Back to KEVs

CVE-2024-7097

Incorrect Authorization in Multiple WSO2 Products via SOAP Admin Service Allowing Unauthorized User Signup

Basic Information

CVE State
PUBLISHED
Reserved Date
July 25, 2024
Published Date
May 30, 2025
Last Updated
May 30, 2025
Vendor
WSO2
Product
WSO2 Open Banking AM, WSO2 Open Banking KM, WSO2 Identity Server as Key Manager, WSO2 API Manager, WSO2 Identity Server, WSO2 Open Banking IAM, WSO2 Enterprise Mobility Manager
Description
An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization. Exploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system resource exhaustion through mass user creation.
Tags
nuclei_scanner

CVSS Scores

CVSS v3.1

4.3 - MEDIUM

Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Score

Score
0.29% (Percentile: 52.22%) as of 2025-07-28

SSVC Information

Exploitation
none
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (2025-07-21 00:00:00 UTC) Source

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3574/

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-07-22 12:00:32 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-7097.yaml 2025-05-30 17:00:39 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel