Description
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service endpoint. A malicious actor with administrative privileges can upload arbitrary files to a user-controlled location on the server. By leveraging this vulnerability, an attacker can upload a specially crafted payload and achieve remote code execution (RCE), potentially compromising the server and its data.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3992/
Scores
CVSS v3
6.7
EPSS
0.0043
EPSS Percentile
62.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (7)
wso2/enterprise_integrator
6.6.0
wso2/identity_server
5.10.0
wso2/identity_server
5.11.0
wso2/identity_server
6.0.0
wso2/identity_server
6.1.0
wso2/identity_server_as_key_manager
5.10.0
wso2/open_banking_iam
2.0.0
Published
Sep 26, 2025
Tracked Since
Feb 18, 2026