CVE-2025-10907
BaseFortify
Publication date: 2025-11-05
Last updated on: 2025-12-04
Assigner: WSO2 LLC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wso2 | api_control_plane | 4.5.0 |
| wso2 | api_manager | 3.1.0 |
| wso2 | api_manager | 3.2.0 |
| wso2 | api_manager | 3.2.1 |
| wso2 | api_manager | 4.0.0 |
| wso2 | api_manager | 4.1.0 |
| wso2 | api_manager | 4.2.0 |
| wso2 | api_manager | 4.3.0 |
| wso2 | api_manager | 4.4.0 |
| wso2 | api_manager | 4.5.0 |
| wso2 | enterprise_integrator | 6.6.0 |
| wso2 | identity_server | 5.10.0 |
| wso2 | identity_server | 5.11.0 |
| wso2 | identity_server | 6.0.0 |
| wso2 | identity_server | 6.1.0 |
| wso2 | identity_server | 7.0.0 |
| wso2 | identity_server | 7.1.0 |
| wso2 | identity_server_as_key_manager | 5.10.0 |
| wso2 | open_banking_am | 2.0.0 |
| wso2 | open_banking_iam | 2.0.0 |
| wso2 | traffic_manager | 4.5.0 |
| wso2 | universal_gateway | 4.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an arbitrary file upload issue in multiple WSO2 products. It occurs because the system does not properly validate the content and destination of files uploaded via SOAP admin services. An attacker with administrative privileges can upload a specially crafted file to a location they control within the deployment.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to remote code execution (RCE) on the server, allowing an attacker to run malicious code remotely. This can compromise the integrity, confidentiality, and availability of the affected system. However, exploitation requires administrative access to the SOAP services.