CVE-2025-5717
BaseFortify
Publication date: 2025-09-23
Last updated on: 2025-11-21
Assigner: WSO2 LLC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wso2 | api_control_plane | 4.5.0 |
| wso2 | api_manager | 3.0.0 |
| wso2 | api_manager | 3.1.0 |
| wso2 | api_manager | 3.2.0 |
| wso2 | api_manager | 3.2.1 |
| wso2 | api_manager | 4.0.0 |
| wso2 | api_manager | 4.1.0 |
| wso2 | api_manager | 4.2.0 |
| wso2 | api_manager | 4.3.0 |
| wso2 | api_manager | 4.4.0 |
| wso2 | api_manager | 4.5.0 |
| wso2 | open_banking_am | 2.0.0 |
| wso2 | traffic_manager | 4.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated remote code execution (RCE) flaw in multiple WSO2 products. It occurs because of improper input validation in the event processor admin service. An attacker with administrative access to the SOAP admin services can exploit this by deploying a Siddhi execution plan that contains malicious Java code, which then executes arbitrary code on the server.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with administrative privileges to execute arbitrary code on the affected server. This can lead to unauthorized actions such as data theft, service disruption, or further compromise of the system. However, exploitation requires valid administrative credentials, limiting the attack surface to authenticated users.