CVE-2025-13590
9.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.
By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WSO2 | WSO2 API Manager | 0 < 4.2.0 | unaffected |
| WSO2 | WSO2 API Manager | 4.2.0 < 4.2.0.179 | affected |
| WSO2 | WSO2 API Manager | 4.3.0 < 4.3.0.91 | affected |
| WSO2 | WSO2 API Manager | 4.4.0 < 4.4.0.55 | affected |
| WSO2 | WSO2 API Manager | 4.5.0 < 4.5.0.38 | affected |
| WSO2 | WSO2 API Manager | 4.6.0 < 4.6.0.3 | affected |
| WSO2 | WSO2 API Control Plane | 0 < 4.5.0 | unknown |
| WSO2 | WSO2 API Control Plane | 4.5.0 < 4.5.0.39 | affected |
| WSO2 | WSO2 API Control Plane | 4.6.0 < 4.6.0.3 | affected |
| WSO2 | WSO2 Universal Gateway | 0 < 4.5.0 | unknown |
| WSO2 | WSO2 Universal Gateway | 4.5.0 < 4.5.0.37 | affected |
| WSO2 | WSO2 Universal Gateway | 4.6.0 < 4.6.0.3 | affected |
| WSO2 | WSO2 Traffic Manager | 0 < 4.5.0 | unknown |
| WSO2 | WSO2 Traffic Manager | 4.5.0 < 4.5.0.37 | affected |
| WSO2 | WSO2 Traffic Manager | 4.6.0 < 4.6.0.3 | affected |
| WSO2 | org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl | 9.28.116 < 9.28.116.391 | affected |
| WSO2 | org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl | 9.29.120 < 9.29.120.210 | affected |
| WSO2 | org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl | 9.30.67 < 9.30.67.133 | affected |
| WSO2 | org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl | 9.31.86 < 9.31.86.100 | affected |
| WSO2 | org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl | 9.32.147 < 9.32.147.2 | affected |
| WSO2 | org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl | 9.32.167 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.