WSO2 Admin SOAP Services Arbitrary File Upload (RCE)
CVE-2025-10907 Published on November 5, 2025

Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution
An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment. Successful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.

Vendor Advisory NVD

Vulnerability Analysis

Attack Vector:

ADJACENT_NETWORK

Attack Complexity:

LOW

Privileges Required:

HIGH

User Interaction:

NONE

Scope:

CHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

HIGH

Weakness Type

What is an Unrestricted File Upload Vulnerability?

The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

CVE-2025-10907 has been classified to as an Unrestricted File Upload vulnerability or weakness.

Products Associated with CVE-2025-10907

Want to know whenever a new CVE is published for Wso2 products? stack.watch will email you.

Wso2 Api Manager

Wso2 Open Banking Iam

Wso2 Open Banking Am

Wso2 Api Control Plane

Wso2 Universal Gateway

Wso2 Traffic Manager

Wso2 Micro Integrator

Wso2 Identity Server

Wso2 Identity Server As Key Manager

Wso2 Enterprise Integrator

Wso2 Org Jaggeryjs Org Jaggeryjs Jaggery App Mgt

Org Wso2 Carbon Event Processing Org Wso2 Carbon Event Simulator Core

Org Wso2 Carbon Mediation Org Wso2 Carbon Mediation Library

Org Wso2 Carbon Deployment Org Wso2 Carbon Module Mgt

Org Wso2 Carbon Deployment Org Wso2 Carbon Webapp Mgt

Org Apache Ws Commons Axiom Wso2 Axiom

Org Wso2 Carbon Org Wso2 Carbon Base

Org Wso2 Carbon Org Wso2 Carbon Utils

Affected Versions

WSO2 API Manager:

Before 3.1.0 is unknown.
Version 3.1.0 and below 3.1.0.345 is affected.
Version 3.2.0 and below 3.2.0.448 is affected.
Version 3.2.1 and below 3.2.1.66 is affected.
Version 4.0.0 and below 4.0.0.367 is affected.
Version 4.1.0 and below 4.1.0.230 is affected.
Version 4.2.0 and below 4.2.0.169 is affected.
Version 4.3.0 and below 4.3.0.81 is affected.
Version 4.4.0 and below 4.4.0.45 is affected.
Version 4.5.0 and below 4.5.0.28 is affected.

WSO2 Open Banking IAM:

Before 2.0.0 is unknown.
Version 2.0.0 and below 2.0.0.414 is affected.

WSO2 Open Banking AM:

Before 2.0.0 is unknown.
Version 2.0.0 and below 2.0.0.394 is affected.

WSO2 API Control Plane:

Version 4.5.0 and below 4.5.0.29 is affected.

WSO2 Universal Gateway:

Version 4.5.0 and below 4.5.0.27 is affected.

WSO2 Traffic Manager:

Version 4.5.0 and below 4.5.0.27 is affected.

WSO2 Micro Integrator:

Before 4.0.0 is unknown.
Version 4.0.0 and below 4.0.0.145 is affected.
Version 4.1.0 and below 4.1.0.147 is affected.
Version 4.2.0 and below 4.2.0.141 is affected.

WSO2 Identity Server:

Before 5.10.0 is unknown.
Version 5.10.0 and below 5.10.0.375 is affected.
Version 5.11.0 and below 5.11.0.419 is affected.
Version 6.0.0 and below 6.0.0.248 is affected.
Version 6.1.0 and below 6.1.0.248 is affected.
Version 7.0.0 and below 7.0.0.124 is affected.
Version 7.1.0 and below 7.1.0.31 is affected.

WSO2 Identity Server as Key Manager:

Before 5.10.0 is unknown.
Version 5.10.0 and below 5.10.0.365 is affected.

WSO2 Enterprise Integrator:

Before 6.6.0 is unknown.
Version 6.6.0 and below 6.6.0.224 is affected.

WSO2 org.jaggeryjs:org.jaggeryjs.jaggery.app.mgt:

Version 0.14.13 and below 0.14.13.8 is affected.
Version 0.14.16 and below 0.14.16.1 is affected.

org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core:

Version 2.2.14 and below 2.2.14.7 is affected.
Version 2.2.17 and below 2.2.17.2 is affected.
Version 2.3.1 and below 2.3.1.3 is affected.
Version 2.3.19, <= * is unaffected.

org.wso2.carbon.mediation:org.wso2.carbon.mediation.library:

Version 4.7.30 and below 4.7.30.47 is affected.
Version 4.7.61 and below 4.7.61.62 is affected.
Version 4.7.99 and below 4.7.99.304 is affected.
Version 4.7.131 and below 4.7.131.22 is affected.
Version 4.7.175 and below 4.7.175.30 is affected.
Version 4.7.188 and below 4.7.188.12 is affected.
Version 4.7.204 and below 4.7.204.13 is affected.
Version 4.7.221 and below 4.7.221.7 is affected.
Version 4.7.245 and below 4.7.245.7 is affected.
Version 4.7.262, <= * is unaffected.

org.wso2.carbon.deployment:org.wso2.carbon.module.mgt:

Version 4.9.15 and below 4.9.15.2 is affected.
Version 4.10.1 and below 4.10.1.1 is affected.
Version 4.10.9 and below 4.10.9.2 is affected.
Version 4.11.1 and below 4.11.1.3 is affected.
Version 4.11.3 and below 4.11.3.3 is affected.
Version 4.11.7 and below 4.11.7.5 is affected.
Version 4.11.14 and below 4.11.14.2 is affected.
Version 4.11.17 and below 4.11.17.3 is affected.
Version 4.11.18 and below 4.11.18.1 is affected.
Version 4.11.24, <= * is unaffected.

org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt:

Version 4.10.1 and below 4.10.1.1 is affected.
Version 4.10.9 and below 4.10.9.2 is affected.
Version 4.11.1 and below 4.11.1.3 is affected.
Version 4.11.3 and below 4.11.3.3 is affected.
Version 4.11.7 and below 4.11.7.5 is affected.
Version 4.11.14 and below 4.11.14.2 is affected.
Version 4.11.17 and below 4.11.17.3 is affected.
Version 4.11.18 and below 4.11.18.1 is affected.
Version 4.11.24, <= * is unaffected.

org.apache.ws.commons.axiom.wso2:axiom:

Version 1.2.11 and below 1.2.11.wso2v17_5 is affected.
Version 1.2.11-wso2v21, <= * is unaffected.

org.wso2.carbon:org.wso2.carbon.base:

Version 4.5.3 and below 4.5.3.46 is affected.
Version 4.6.0 and below 4.6.0.2005 is affected.
Version 4.6.1 and below 4.6.1.153 is affected.
Version 4.6.2 and below 4.6.2.668 is affected.
Version 4.6.3 and below 4.6.3.37 is affected.
Version 4.6.4 and below 4.6.4.15 is affected.
Version 4.7.1 and below 4.7.1.72 is affected.
Version 4.8.1 and below 4.8.1.40 is affected.
Version 4.9.0 and below 4.9.0.103 is affected.
Version 4.9.26 and below 4.9.26.26 is affected.
Version 4.9.27 and below 4.9.27.11 is affected.
Version 4.9.28 and below 4.9.28.12 is affected.
Version 4.10.9 and below 4.10.9.71 is affected.
Version 4.10.42 and below 4.10.42.14 is affected.
Version 4.9.30, <= 4.9.* is unaffected.
Version 4.10.95, <= * is unaffected.

org.wso2.carbon:org.wso2.carbon.utils:

Version 4.5.3 and below 4.5.3.46 is affected.
Version 4.6.0 and below 4.6.0.2005 is affected.
Version 4.6.1 and below 4.6.1.153 is affected.
Version 4.6.2 and below 4.6.2.668 is affected.
Version 4.6.3 and below 4.6.3.37 is affected.
Version 4.6.4 and below 4.6.4.15 is affected.
Version 4.7.1 and below 4.7.1.72 is affected.
Version 4.8.1 and below 4.8.1.40 is affected.
Version 4.9.0 and below 4.9.0.103 is affected.
Version 4.9.26 and below 4.9.26.26 is affected.
Version 4.9.27 and below 4.9.27.11 is affected.
Version 4.9.28 and below 4.9.28.12 is affected.
Version 4.10.9 and below 4.10.9.71 is affected.
Version 4.10.42 and below 4.10.42.14 is affected.
Version 4.9.30, <= 4.9.* is unaffected.
Version 4.10.95, <= * is unaffected.

Exploit Probability

EPSS

0.41%

Percentile

61.65%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

WSO2 Admin SOAP Services Arbitrary File Upload (RCE)CVE-2025-10907 Published on November 5, 2025

Vulnerability Analysis

Weakness Type

What is an Unrestricted File Upload Vulnerability?

Products Associated with CVE-2025-10907

Affected Versions

Exploit Probability

WSO2 Admin SOAP Services Arbitrary File Upload (RCE)
CVE-2025-10907 Published on November 5, 2025