Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP...

8.4 / 10

HIGH

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment.

Successful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.

Basic Information

ID CVE-2025-10907

Source WSO2

Published Nov 5, 2025 at 18:03

Modified Nov 5, 2025 at 18:49

Affected Product

Vendor WSO2

Product WSO2 API Manager

Affected Versions WSO2 WSO2 API Manager 3.1.0
WSO2 WSO2 API Manager 3.2.0
WSO2 WSO2 API Manager 3.2.1
WSO2 WSO2 API Manager 4.0.0
WSO2 WSO2 API Manager 4.1.0
WSO2 WSO2 API Manager 4.2.0
WSO2 WSO2 API Manager 4.3.0
WSO2 WSO2 API Manager 4.4.0
WSO2 WSO2 API Manager 4.5.0
WSO2 WSO2 Open Banking IAM 2.0.0
WSO2 WSO2 Open Banking AM 2.0.0
WSO2 WSO2 API Control Plane 4.5.0
WSO2 WSO2 Universal Gateway 4.5.0
WSO2 WSO2 Traffic Manager 4.5.0
WSO2 WSO2 Micro Integrator 4.0.0
WSO2 WSO2 Micro Integrator 4.1.0
WSO2 WSO2 Micro Integrator 4.2.0
WSO2 WSO2 Identity Server 5.10.0
WSO2 WSO2 Identity Server 5.11.0
WSO2 WSO2 Identity Server 6.0.0
WSO2 WSO2 Identity Server 6.1.0
WSO2 WSO2 Identity Server 7.0.0
WSO2 WSO2 Identity Server 7.1.0
WSO2 WSO2 Identity Server as Key Manager 5.10.0
WSO2 WSO2 Enterprise Integrator 6.6.0
WSO2 org.jaggeryjs:org.jaggeryjs.jaggery.app.mgt 0.14.13
WSO2 org.jaggeryjs:org.jaggeryjs.jaggery.app.mgt 0.14.16
WSO2 org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core 2.2.14
WSO2 org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core 2.2.17
WSO2 org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core 2.3.1
WSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.30
WSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.61
WSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.99
WSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.131
WSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.175
WSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.188
WSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.204
WSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.221
WSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.245
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.9.15
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.10.1
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.10.9
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.1
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.3
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.7
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.14
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.17
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.18
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.10.1
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.10.9
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.1
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.3
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.7
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.14
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.17
WSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.18
WSO2 org.apache.ws.commons.axiom.wso2:axiom 1.2.11
WSO2 org.wso2.carbon:org.wso2.carbon.base 4.5.3
WSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.0
WSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.1
WSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.2
WSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.3
WSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.4
WSO2 org.wso2.carbon:org.wso2.carbon.base 4.7.1
WSO2 org.wso2.carbon:org.wso2.carbon.base 4.8.1
WSO2 org.wso2.carbon:org.wso2.carbon.base 4.9.0
WSO2 org.wso2.carbon:org.wso2.carbon.base 4.9.26
WSO2 org.wso2.carbon:org.wso2.carbon.base 4.9.27
WSO2 org.wso2.carbon:org.wso2.carbon.base 4.9.28
WSO2 org.wso2.carbon:org.wso2.carbon.base 4.10.9
WSO2 org.wso2.carbon:org.wso2.carbon.base 4.10.42
WSO2 org.wso2.carbon:org.wso2.carbon.utils 4.5.3
WSO2 org.wso2.carbon:org.wso2.carbon.utils 4.6.0
WSO2 org.wso2.carbon:org.wso2.carbon.utils 4.6.1
WSO2 org.wso2.carbon:org.wso2.carbon.utils 4.6.2
WSO2 org.wso2.carbon:org.wso2.carbon.utils 4.6.3
WSO2 org.wso2.carbon:org.wso2.carbon.utils 4.6.4
WSO2 org.wso2.carbon:org.wso2.carbon.utils 4.7.1
WSO2 org.wso2.carbon:org.wso2.carbon.utils 4.8.1
WSO2 org.wso2.carbon:org.wso2.carbon.utils 4.9.0
WSO2 org.wso2.carbon:org.wso2.carbon.utils 4.9.26
WSO2 org.wso2.carbon:org.wso2.carbon.utils 4.9.27
WSO2 org.wso2.carbon:org.wso2.carbon.utils 4.9.28
WSO2 org.wso2.carbon:org.wso2.carbon.utils 4.10.9
WSO2 org.wso2.carbon:org.wso2.carbon.utils 4.10.42

CWE Classification

CWE-434

References

security.docs.wso2.com /en/latest/security-announcements/security-advisories/2025/WSO2-2025-4603/

{
    "lastseen": "",
    "description": "An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment.\n\nSuccessful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.",
    "published": "2025-11-05T18:03:49.831Z",
    "modified": "2025-11-05T18:49:44.604Z",
    "type": "cve",
    "title": "Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution",
    "source": "WSO2",
    "references": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4603/",
    "id": "CVE-2025-10907",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "WSO2 WSO2 API Manager 3.1.0\nWSO2 WSO2 API Manager 3.2.0\nWSO2 WSO2 API Manager 3.2.1\nWSO2 WSO2 API Manager 4.0.0\nWSO2 WSO2 API Manager 4.1.0\nWSO2 WSO2 API Manager 4.2.0\nWSO2 WSO2 API Manager 4.3.0\nWSO2 WSO2 API Manager 4.4.0\nWSO2 WSO2 API Manager 4.5.0\nWSO2 WSO2 Open Banking IAM 2.0.0\nWSO2 WSO2 Open Banking AM 2.0.0\nWSO2 WSO2 API Control Plane 4.5.0\nWSO2 WSO2 Universal Gateway 4.5.0\nWSO2 WSO2 Traffic Manager 4.5.0\nWSO2 WSO2 Micro Integrator 4.0.0\nWSO2 WSO2 Micro Integrator 4.1.0\nWSO2 WSO2 Micro Integrator 4.2.0\nWSO2 WSO2 Identity Server 5.10.0\nWSO2 WSO2 Identity Server 5.11.0\nWSO2 WSO2 Identity Server 6.0.0\nWSO2 WSO2 Identity Server 6.1.0\nWSO2 WSO2 Identity Server 7.0.0\nWSO2 WSO2 Identity Server 7.1.0\nWSO2 WSO2 Identity Server as Key Manager 5.10.0\nWSO2 WSO2 Enterprise Integrator 6.6.0\nWSO2 org.jaggeryjs:org.jaggeryjs.jaggery.app.mgt 0.14.13\nWSO2 org.jaggeryjs:org.jaggeryjs.jaggery.app.mgt 0.14.16\nWSO2 org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core 2.2.14\nWSO2 org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core 2.2.17\nWSO2 org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core 2.3.1\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.30\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.61\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.99\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.131\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.175\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.188\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.204\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.221\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.245\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.9.15\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.10.1\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.10.9\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.1\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.3\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.7\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.14\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.17\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.18\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.10.1\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.10.9\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.1\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.3\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.7\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.14\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.17\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.18\nWSO2 org.apache.ws.commons.axiom.wso2:axiom 1.2.11\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.5.3\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.0\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.1\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.2\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.3\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.4\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.7.1\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.8.1\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.9.0\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.9.26\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.9.27\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.9.28\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.10.9\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.10.42\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.5.3\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.6.0\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.6.1\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.6.2\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.6.3\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.6.4\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.7.1\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.8.1\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.9.0\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.9.26\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.9.27\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.9.28\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.10.9\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.10.42",
    "sourceHref": "",
    "cvss": {
        "score": 8.4,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WSO2 API Manager",
    "version": "0",
    "vendor": "WSO2",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution_CVE-2025-10907