CVE-2025-5717

Summary

An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on the server.

Exploitation of this vulnerability requires a valid user account with administrative privileges, limiting the attack surface to authenticated but potentially malicious users.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 API Manager0 < 3.0.0unknown
WSO2WSO2 API Manager3.0.0 < 3.0.0.174affected
WSO2WSO2 API Manager3.1.0 < 3.1.0.330affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.426affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.46affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.344affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.208affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.147affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.59affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.22affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.6affected
WSO2WSO2 Open Banking AM0 < 2.0.0unknown
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.379affected
WSO2WSO2 Traffic Manager4.5.0 < 4.5.0.6affected
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.6affected
WSO2Siddhi Extension Evaluate Scripts3.2.6 < 3.2.6.8affected
WSO2Siddhi Extension Evaluate Scripts3.2.7 < 3.2.7.6affected
WSO2Siddhi Extension Evaluate Scripts3.2.8 < 3.2.8.3affected
WSO2Siddhi Extension Evaluate Scripts3.2.10 < 3.2.10.1affected
WSO2Siddhi Extension Evaluate Scripts3.2.13 < 3.2.13.2affected
WSO2Siddhi Extension Evaluate Scripts3.2.14 < 3.2.14.1affected
WSO2Siddhi Extension Evaluate Scripts3.2.15 <= *unaffected

Weaknesses

  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References