CVE-2022-29464
published 2022-04-18CVE-2022-29464: Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-16
Exploited in the wild
EPSS
100.00%
100.0th percentile
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | api_manager | 2.2.0 – 4.0.0 | — |
| wso2 | enterprise_integrator | 6.2.0 – 6.6.0 | — |
| wso2 | identity_server | 5.2.0 – 5.11.0 | — |
| wso2 | identity_server_analytics | — | — |
| wso2 | identity_server_analytics | — | — |
| wso2 | identity_server_analytics | — | — |
| wso2 | identity_server_analytics | — | — |
| wso2 | identity_server_as_key_manager | 5.3.0 – 5.10.0 | — |
| wso2 | open_banking_am | 1.3.0 – 2.0.0 | — |
| wso2 | open_banking_iam | — | — |
| wso2 | open_banking_km | 1.3.0 – 1.5.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
path//repository/deployment/server/webapps/{5 letters like HcTnA}/WEB-INF/classes/metasploit/Payload.class↗
- →Monitor for Java process spawning wget or curl to retrieve remote shell scripts (e.g., auto.sh), which is indicative of post-exploitation activity following CVE-2022-29464 web shell installation. ↗
- →Alert on chmod commands executed by the Java process owner, as this is a post-exploitation indicator observed in CVE-2022-29464 attacks. ↗
- →Detect outbound connections from WSO2 Java processes to 179.60.150.29:4444, which is a confirmed Cobalt Strike C2 callback destination used in active exploitation of CVE-2022-29464. ↗
- →Hunt for newly created .JSP or .WAR files under /repository/deployment/server/webapps/authenticationendpoint/ or random 5-letter named .war directories, as these are the primary web shell drop locations observed in CVE-2022-29464 exploitation. ↗
- →Detect HTTP requests to WSO2 /fileupload endpoints containing Content-Disposition headers with directory traversal sequences (e.g., ../../../../repository/deployment/server/webapps). ↗
- →Look for the presence of Payload.class under WEB-INF/classes/metasploit/ within WSO2 webapps directories, indicating Metasploit module deployment via CVE-2022-29464. ↗
- →Check for the presence of fscan.exe in C:\Windows\Temp\ as a lateral movement/network scanning tool dropped after CVE-2022-29464 exploitation on Windows systems. ↗
- →Monitor /dev/shm/ for executable files (e.g., hezb), as threat actors used this in-memory path to stage coinminer payloads after CVE-2022-29464 exploitation. ↗
- ·The Cobalt Strike beacon observed targeting Linux environments is not an official Cobalt Strike artifact — it was custom-developed by the threat actor for Linux compatibility, making signature-based detection against standard Cobalt Strike beacon profiles less reliable. ↗
- ·Exploitation requires no user interaction and no administrative privileges, meaning any internet-exposed WSO2 instance is at risk without authentication as a prerequisite barrier. ↗
- ·Affected WSO2 servers are easily discoverable via Google or Shodan searches, meaning threat actors can rapidly enumerate targets at scale. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
WSO2 Multiple Products Unrestrictive Upload of File Vulnerability
cisa·2022-04-25·CVSS 9.8
CVE-2022-29464 [CRITICAL] CWE-22 WSO2 Multiple Products Unrestrictive Upload of File Vulnerability
Vulnerability: WSO2 Multiple Products Unrestrictive Upload of File Vulnerability
Affected: WSO2 Multiple Products
Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-29464
Remediation Due Date: 2022-05-16
GHSA
GHSA-mfgw-52pj-hrhg: Certain WSO2 products allow unrestricted file upload with resultant remote code execution
ghsa_unreviewed·2022-04-20
CVE-2022-29464 [CRITICAL] CWE-22 GHSA-mfgw-52pj-hrhg: Certain WSO2 products allow unrestricted file upload with resultant remote code execution
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
VulnCheck
WSO2 Multiple Products Unrestrictive Upload of File Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-29464 [CRITICAL] CWE-22 WSO2 Multiple Products Unrestrictive Upload of File Vulnerability
WSO2 Multiple Products Unrestrictive Upload of File Vulnerability
Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution.
Affected: WSO2 Multiple Products
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-wso2-cve-2022-29464/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.trendmicro.com/en_us/research/22/e/patch-your-wso2-cve-2022-29464-exploited-to-install-linux-compatible-cobalt-strike-beacons-other-malware.html; https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/; https://unit42.paloaltonetworks.com/recent-exploi
No detection rules found.
Metasploit
WSO2 Arbitrary File Upload to RCE
metasploit
WSO2 Arbitrary File Upload to RCE
WSO2 Arbitrary File Upload to RCE
This module abuses a vulnerability in certain WSO2 products that allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
Nuclei
WSO2 Management - Arbitrary File Upload & Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-29464 [CRITICAL] WSO2 Management - Arbitrary File Upload & Remote Code Execution
WSO2 Management - Arbitrary File Upload & Remote Code Execution
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
Template:
id: CVE-2022-29464
info:
name: WSO2 Management - Arbitrary File Upload & Remote Code Execution
author: luci,dhiyaneshDk
severity: critical
description: |
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Serv
Tenable
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
blogs_tenable·2023-08-03
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
Attack Surface Management 2022 Midyear Review Part 2
blogs_trendmicro·2022-10-27
Attack Surface Management 2022 Midyear Review Part 2
Privacy & Risks
# Attack Surface Management 2022 Midyear Review Part 2
In our 2022 midyear roundup, we examine the most significant trends and incidents that influenced the cybersecurity landscape in the first half of the year.
By: Trend Micro
2022/10/27
Read time: ( words)
Save to Folio
The cybersecurity landscape changed significantly in the first half of 2022. In our midyear roundup, we examine these changes and their effects on business operations as well as what you need to know about staying protected from online attacks.
In part one of the series, we talked about the growing attack surface and how actors have become more sophisticated. In this second instalment, we put ransomware and cloud environments into the spotlight. We also discuss other notable vulnerabilities that hav
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19·CVSS 8.8
CVE-2021-20166 [HIGH] Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Yue Guan
Published: August 19, 2022
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-20166
CVE-2021-20167
CVE-2021-21881
CVE-2021-24762
CVE-2021-28169
CVE-2021-31589
CVE-2021-39226
CVE-2021-4045
CVE-2021-43711
CVE-2022-21371
CVE-2022-21662
CVE-2022-22536
CVE-2022-22947
CVE-2022-22954
CVE-2022-22963
CVE-2022-22965
CVE-2022-24112
CVE-2022-24260
CVE-2022-25060
CVE-2022-25075
CVE-2022-25134
CVE-2022-27226
CVE-2022-29464
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use of newly published remote code execution vulnerabilities in VMware ONE Access and Identity Manager and Spring Cloud Function, Spring MVC and Spring Web Flux, among others. Attackers have also been taking advantage of a cross-site scripting vulnerability in WordPress core, and SQL injection vulnerabilities in VoIPmonitor GUI and other services. In our observations of network security trends, Unit 42 researchers select exploits of the latest published attacks that defenders should know based on the availability of proofs of concept (PoCs), the severity of the vulnerabilities the exploits are based on and the ease of exploitation.
Other insights that could assist defenders includ
Fortinet
Guidance On an Ongoing Hacktivist Operation #Opspatuk Conducted by The Malaysian Hacktivist Threat Group 'DragonForce' Against Indian Organizations | FortiGuard Labs
blogs_fortinet·2022-06-15
Guidance On an Ongoing Hacktivist Operation #Opspatuk Conducted by The Malaysian Hacktivist Threat Group 'DragonForce' Against Indian Organizations | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Guidance On an Ongoing Hacktivist Operation #Opspatuk Conducted by The Malaysian Hacktivist Threat Group 'DragonForce' Against Indian Organizations
By Carl Windsor, Simran Kothari, Ankita Dasgupta, and FortiRecon Team | June 15, 2022
The 'OpsPatuk' operation began on June 6, 2022. That’s when the Malaysian hacktivist group known as DragonForce began targeting India in retaliation for controversial comments made by a BJP spokesperson.
At the time of writing, this operation has compromised over 102 websites and continues to list new targets on various social media platforms, including Telegram, Twitter, and their own DragonForce website.
Widely targeted sectors include financial organizations, government entities, and educational institutions. FortiGuard T
Trendmicro
Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
blogs_trendmicro·2022-05-31·CVSS 9.8
CVE-2022-29464 [CRITICAL] Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
Ausnutzung von Schwachstellen
## Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
Users of WSO2 products are advised to update their respective products and platforms or to apply the temporary mitigation steps immediately.
By: Hitomi Kimura, Abraham Camba, Ryan Soliven May 31, 2022 Read time: ( words)
Save to Folio
We observed vulnerability CVE-2022-29464 being exploited in the wild since April, allowing unrestricted file uploads resulting to arbitrary remote code execution (RCE). Disclosed and patched in April, the security gap was ranked Critical at 9.8 and affects a number of WSO2 products. It requires no user interaction and administrative privileges for abuse, and can be used to infiltrate networks when left unpatched.
Th
Trendmicro
Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
blogs_trendmicro·2022-05-31·CVSS 9.8
CVE-2022-29464 [CRITICAL] Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
Exploits & Vulnerabilities
## Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
Users of WSO2 products are advised to update their respective products and platforms or to apply the temporary mitigation steps immediately.
By: Hitomi Kimura, Abraham Camba, Ryan Soliven May 31, 2022 Read time: ( words)
Save to Folio
We observed vulnerability CVE-2022-29464 being exploited in the wild since April, allowing unrestricted file uploads resulting to arbitrary remote code execution (RCE). Disclosed and patched in April, the security gap was ranked Critical at 9.8 and affects a number of WSO2 products. It requires no user interaction and administrative privileges for abuse, and can be used to infiltrate networks when left unpatched.
The v
Trendmicro
Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
blogs_trendmicro·2022-05-31·CVSS 9.8
CVE-2022-29464 [CRITICAL] Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
Exploits & Vulnerabilities
# Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
Users of WSO2 products are advised to update their respective products and platforms or to apply the temporary mitigation steps immediately.
By: Hitomi Kimura, Abraham Camba, Ryan Soliven
2022/05/31
Read time: ( words)
Save to Folio
We observed vulnerability CVE-2022-29464 being exploited in the wild since April, allowing unrestricted file uploads resulting to arbitrary remote code execution (RCE). Disclosed and patched in April, the security gap was ranked Critical at 9.8 and affects a number of WSO2 products. It requires no user interaction and administrative privileges for abuse, and can be used to infiltrate networks when left unpatched.
The vul
Trendmicro
Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
blogs_trendmicro·2022-05-31·CVSS 9.8
CVE-2022-29464 [CRITICAL] Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
Exploits y vulnerabilidades
## Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
Users of WSO2 products are advised to update their respective products and platforms or to apply the temporary mitigation steps immediately.
By: Hitomi Kimura, Abraham Camba, Ryan Soliven May 31, 2022 Read time: ( words)
Save to Folio
We observed vulnerability CVE-2022-29464 being exploited in the wild since April, allowing unrestricted file uploads resulting to arbitrary remote code execution (RCE). Disclosed and patched in April, the security gap was ranked Critical at 9.8 and affects a number of WSO2 products. It requires no user interaction and administrative privileges for abuse, and can be used to infiltrate networks when left unpatched.
The
Trendmicro
Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
blogs_trendmicro·2022-05-31·CVSS 9.8
CVE-2022-29464 [CRITICAL] Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
Exploits & Vulnerabilities
## Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
Users of WSO2 products are advised to update their respective products and platforms or to apply the temporary mitigation steps immediately.
By: Hitomi Kimura, Abraham Camba, Ryan Soliven 2022/05/31 Read time: ( words)
Save to Folio
We observed vulnerability CVE-2022-29464 being exploited in the wild since April, allowing unrestricted file uploads resulting to arbitrary remote code execution (RCE). Disclosed and patched in April, the security gap was ranked Critical at 9.8 and affects a number of WSO2 products. It requires no user interaction and administrative privileges for abuse, and can be used to infiltrate networks when left unpatched.
The vul
Crowdstrike
How Adversaries are Weaponizing the Cloud
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] How Adversaries are Weaponizing the Cloud
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
Crowdstrike
How Adversaries are Weaponizing the Cloud
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] How Adversaries are Weaponizing the Cloud
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.htmlhttp://www.openwall.com/lists/oss-security/2022/04/22/7https://github.com/hakivvi/CVE-2022-29464https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.htmlhttp://www.openwall.com/lists/oss-security/2022/04/22/7https://github.com/hakivvi/CVE-2022-29464https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-29464
2022-04-18
Published
2022-04-25
Added to CISA KEV
Exploited in the wild