CVE-2025-10907
Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution
An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment.
Successful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Produtos afetados
WSO2 · org.apache.ws.commons.axiom.wso2:axiomWSO2 · org.jaggeryjs:org.jaggeryjs.jaggery.app.mgtWSO2 · org.wso2.carbon.deployment:org.wso2.carbon.module.mgtWSO2 · org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgtWSO2 · org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.coreWSO2 · org.wso2.carbon.mediation:org.wso2.carbon.mediation.libraryWSO2 · org.wso2.carbon:org.wso2.carbon.baseWSO2 · org.wso2.carbon:org.wso2.carbon.utilsWSO2 · WSO2 API Control PlaneWSO2 · WSO2 API ManagerWSO2 · WSO2 Enterprise IntegratorWSO2 · WSO2 Identity ServerWSO2 · WSO2 Identity Server as Key ManagerWSO2 · WSO2 Micro IntegratorWSO2 · WSO2 Open Banking AMWSO2 · WSO2 Open Banking IAMWSO2 · WSO2 Traffic ManagerWSO2 · WSO2 Universal GatewayQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →