ГлавнаяУязвимости → CVE-2025-10907
8.4высокая

CVE-2025-10907

Описание

An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment. Successful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.

Затрагиваемое ПО
Wso2 Api control planeWso2 Api managerWso2 Enterprise integratorWso2 Identity serverWso2 Identity server as key managerWso2 Open banking amWso2 Open banking iamWso2 Traffic managerWso2 Universal gateway
CVSS
Балл8.4 — высокая
ВекторCVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Источники
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4603/