CVE-2025-13590

Summary

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 API Manager0 < 4.2.0unaffected
WSO2WSO2 API Manager4.2.0 < 4.2.0.179affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.91affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.55affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.38affected
WSO2WSO2 API Manager4.6.0 < 4.6.0.3affected
WSO2WSO2 API Control Plane0 < 4.5.0unknown
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.39affected
WSO2WSO2 API Control Plane4.6.0 < 4.6.0.3affected
WSO2WSO2 Universal Gateway0 < 4.5.0unknown
WSO2WSO2 Universal Gateway4.5.0 < 4.5.0.37affected
WSO2WSO2 Universal Gateway4.6.0 < 4.6.0.3affected
WSO2WSO2 Traffic Manager0 < 4.5.0unknown
WSO2WSO2 Traffic Manager4.5.0 < 4.5.0.37affected
WSO2WSO2 Traffic Manager4.6.0 < 4.6.0.3affected
WSO2org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl9.28.116 < 9.28.116.391affected
WSO2org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl9.29.120 < 9.29.120.210affected
WSO2org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl9.30.67 < 9.30.67.133affected
WSO2org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl9.31.86 < 9.31.86.100affected
WSO2org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl9.32.147 < 9.32.147.2affected
WSO2org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl9.32.167 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References