What is CVE-2025-6024?

CVE-2025-6024 is a medium-severity vulnerability affecting WSO2 API Manager and Identity Server. It allows script injection through the authentication endpoint, posing risks of UI manipulation and data retrieval. Immediate patching is necessary to mitigate these threats.

What is the severity of CVE-2025-6024?

CVE-2025-6024 has a severity rating of MEDIUM with a CVSS base score of 6.1.

CVE-2025-6024 | Medium Vulnerability in WSO2 API Manager and Identity Server

CVE-2025-6024 is classified as a medium-severity vulnerability that impacts WSO2 products, specifically the API Manager and Identity Server. This vulnerability allows attackers to exploit an authentication endpoint that fails to properly encode user-supplied input before rendering it in web pages. As a result, attackers can inject malicious scripts into the application. The potential consequences include redirecting users' browsers to malicious websites, manipulating the web page's user interface, or retrieving sensitive information from users' browsers. However, due to the httpOnly flag protecting session-related cookies, session hijacking is not possible.

The vulnerability has a CVSS score of 6.1, which is classified as medium severity. This score indicates that while the vulnerability is not critical, it still poses a significant risk that organizations should take seriously. The attack vector is classified as 'network', which means that the vulnerability can be exploited remotely without requiring physical access to the affected systems.

Organizations using affected versions of WSO2 API Manager (3.1.0, 3.2.0, 3.2.1, 4.0.0, and 4.1.0) and WSO2 Identity Server (5.10.0 and 5.11.0) are at risk. The vulnerability was published on April 16, 2026, and organizations should prioritize patching to the latest versions to mitigate the risk.

Given the nature of this vulnerability, organizations should assess their exposure and take appropriate actions to secure their applications. Failing to address this vulnerability could lead to unauthorized access or manipulation of sensitive data.

Vulnerability Details

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. This vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The official CVSS score of 6.1 reflects a medium severity level, implying that while the impacts are significant, they do not rise to critical levels. The details related to this vulnerability can be referenced from the WSO2 advisory.

Technical Analysis

The root cause of CVE-2025-6024 lies in the failure to properly sanitize user input in the authentication endpoint. This oversight allows attackers to exploit the web application by injecting scripts, which can execute in the context of a user's session. The attack vector is network-based, meaning that an attacker can initiate an attack remotely without needing direct access to the underlying systems.

The attack complexity is classified as low, indicating that it is relatively straightforward for an attacker to execute. No privileges are required for an attacker to exploit this vulnerability, making it particularly concerning for organizations. User interaction is required since the attacker must convince the user to interact with the malicious script, typically through social engineering tactics.

The impacts of this vulnerability include potential low confidentiality and integrity impacts, as attackers may gain access to sensitive information or manipulate the user interface. However, there is no impact on availability, making it a medium-risk concern for organizations.

Risk & Impact Analysis

Organizations utilizing WSO2 API Manager and Identity Server versions mentioned previously are at risk of exploitation of CVE-2025-6024. The vulnerability's impact is exacerbated by the low complexity required for exploitation and the lack of required privileges for attackers. Risk to organizations includes potential unauthorized access to sensitive user data, manipulation of web pages, and redirection to malicious sites. Given the CVSS score of 6.1, organizations should assess their defenses and prioritize remediation efforts.

The urgency for organizations to address this vulnerability is medium, as it does not currently appear in the KEV (Known Exploited Vulnerabilities) catalog. However, the risks posed by this vulnerability necessitate timely patching and remediation efforts.

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The following versions of WSO2 products are affected by this vulnerability: - WSO2 API Manager: 3.1.0, 3.2.0, 3.2.1, 4.0.0, 4.1.0 - WSO2 Identity Server: 5.10.0, 5.11.0 Organizations should ensure they upgrade to the latest patched versions to mitigate the risk associated with CVE-2025-6024.

Mitigation & Remediation

To address this vulnerability, organizations should apply the latest patches provided by WSO2 for the affected products. Regularly updating software and applying security patches is critical for maintaining the security of systems. Organizations should also consider conducting a thorough security assessment to identify and remediate any potential vulnerabilities in their applications.

For comprehensive security measures, organizations can leverage penetration testing services to help identify weaknesses and validate remediation efforts.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor logs for unusual activities, specifically related to the authentication endpoint. Indicators of compromise may include unexpected redirects and unauthorized changes to the user interface. Additionally, organizations should look for any anomalies in user behavior, particularly those that suggest attempts at script injection.

AppSecure Threat Intelligence Insight

CVE-2025-6024 highlights an ongoing trend of web application vulnerabilities that stem from improper input handling. As organizations increasingly rely on web applications for critical functions, the risk of exploiting such vulnerabilities grows. Security teams should prioritize secure coding practices to mitigate similar vulnerabilities in the future.

This vulnerability represents a broader pattern of weaknesses in web applications, emphasizing the need for continuous security assessments. Organizations are encouraged to integrate security testing into their development lifecycle. For effective strategies, teams can explore insights from our penetration testing methodology to strengthen their security posture.

In conclusion, ensuring robust security measures and timely responses to vulnerabilities like CVE-2025-6024 is essential for protecting organizational assets. Organizations should stay informed about new vulnerabilities and adapt their security strategies accordingly. For additional guidance on managing application security, refer to our resource on vulnerability management programs to proactively identify and remediate security issues.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-6024: Medium Vulnerability in WSO2 API Manager and Identity Server