CVE-2025-5717
6.8
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on the server.
Exploitation of this vulnerability requires a valid user account with administrative privileges, limiting the attack surface to authenticated but potentially malicious users.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WSO2 | WSO2 API Manager | 0 < 3.0.0 | unknown |
| WSO2 | WSO2 API Manager | 3.0.0 < 3.0.0.174 | affected |
| WSO2 | WSO2 API Manager | 3.1.0 < 3.1.0.330 | affected |
| WSO2 | WSO2 API Manager | 3.2.0 < 3.2.0.426 | affected |
| WSO2 | WSO2 API Manager | 3.2.1 < 3.2.1.46 | affected |
| WSO2 | WSO2 API Manager | 4.0.0 < 4.0.0.344 | affected |
| WSO2 | WSO2 API Manager | 4.1.0 < 4.1.0.208 | affected |
| WSO2 | WSO2 API Manager | 4.2.0 < 4.2.0.147 | affected |
| WSO2 | WSO2 API Manager | 4.3.0 < 4.3.0.59 | affected |
| WSO2 | WSO2 API Manager | 4.4.0 < 4.4.0.22 | affected |
| WSO2 | WSO2 API Manager | 4.5.0 < 4.5.0.6 | affected |
| WSO2 | WSO2 Open Banking AM | 0 < 2.0.0 | unknown |
| WSO2 | WSO2 Open Banking AM | 2.0.0 < 2.0.0.379 | affected |
| WSO2 | WSO2 Traffic Manager | 4.5.0 < 4.5.0.6 | affected |
| WSO2 | WSO2 API Control Plane | 4.5.0 < 4.5.0.6 | affected |
| WSO2 | Siddhi Extension Evaluate Scripts | 3.2.6 < 3.2.6.8 | affected |
| WSO2 | Siddhi Extension Evaluate Scripts | 3.2.7 < 3.2.7.6 | affected |
| WSO2 | Siddhi Extension Evaluate Scripts | 3.2.8 < 3.2.8.3 | affected |
| WSO2 | Siddhi Extension Evaluate Scripts | 3.2.10 < 3.2.10.1 | affected |
| WSO2 | Siddhi Extension Evaluate Scripts | 3.2.13 < 3.2.13.2 | affected |
| WSO2 | Siddhi Extension Evaluate Scripts | 3.2.14 < 3.2.14.1 | affected |
| WSO2 | Siddhi Extension Evaluate Scripts | 3.2.15 <= * | unaffected |
Weaknesses
- CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.