CVE-2025-1862
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-09-26
Last updated on: 2025-10-06
Assigner: WSO2 LLC
Description
Description
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service endpoint. A malicious actor with administrative privileges can upload arbitrary files to a user-controlled location on the server.
By leveraging this vulnerability, an attacker can upload a specially crafted payload and achieve remote code execution (RCE), potentially compromising the server and its data.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wso2 | enterprise_integrator | 6.6.0 |
| wso2 | identity_server | 5.10.0 |
| wso2 | identity_server | 5.11.0 |
| wso2 | identity_server | 6.0.0 |
| wso2 | identity_server | 6.1.0 |
| wso2 | identity_server_as_key_manager | 5.10.0 |
| wso2 | open_banking_iam | 2.0.0 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
