CVE-2024-7074

MEDIUM

WSO2 products - RCE

Title source: llm

Description

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server. By leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially malicious users.

References (1)

Core 1

Core References

Various Sources vendor-advisory

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3566/

Scores

CVSS v3 6.8

EPSS 0.0267

EPSS Percentile 85.9%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (50)

WSO2/WSO2 API Manager < 2.0.0

WSO2/WSO2 API Manager 2.0.0 - 2.0.0.28

WSO2/WSO2 API Manager 2.1.0 - 2.1.0.38

WSO2/WSO2 API Manager 2.2.0 - 2.2.0.57

WSO2/WSO2 API Manager 2.5.0 - 2.5.0.83

WSO2/WSO2 API Manager 2.6.0 - 2.6.0.143

WSO2/WSO2 API Manager 3.0.0 - 3.0.0.162

WSO2/WSO2 API Manager 3.1.0 - 3.1.0.293

WSO2/WSO2 API Manager 3.2.0 - 3.2.0.384

WSO2/WSO2 API Manager 3.2.1 - 3.2.1.16

... and 40 more

Published Jun 02, 2025

Tracked Since Feb 18, 2026