CVE-2025-1862

Summary

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service endpoint. A malicious actor with administrative privileges can upload arbitrary files to a user-controlled location on the server.

By leveraging this vulnerability, an attacker can upload a specially crafted payload and achieve remote code execution (RCE), potentially compromising the server and its data.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Enterprise Integrator6.6.0 < 6.6.0.215affected
WSO2WSO2 Identity Server0 < 5.10.0unknown
WSO2WSO2 Identity Server5.10.0 < 5.10.0.347affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.396affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.232affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.224affected
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.391affected
WSO2WSO2 Identity Server as Key Manager0 < 5.10.0unknown
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.340affected

Weaknesses

  • CWE-434: CWE-434 Unrestricted Upload of File with Dangerous Type

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References