CVE-2025-1862
published 2025-09-26CVE-2025-1862: An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service…
PriorityP351high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.50%
39.1th percentile
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service endpoint. A malicious actor with administrative privileges can upload arbitrary files to a user-controlled location on the server.
By leveraging this vulnerability, an attacker can upload a specially crafted payload and achieve remote code execution (RCE), potentially compromising the server and its data.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | enterprise_integrator | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server_as_key_manager | — | — |
| wso2 | open_banking_iam | — | — |
| wso2 | wso2_enterprise_integrator | >= 6.6.0 < 6.6.0.215 | 6.6.0.215 |
| wso2 | wso2_identity_server | >= 5.10.0 < 5.10.0.347 | 5.10.0.347 |
| wso2 | wso2_identity_server | >= 5.11.0 < 5.11.0.396 | 5.11.0.396 |
| wso2 | wso2_identity_server | >= 6.0.0 < 6.0.0.232 | 6.0.0.232 |
| wso2 | wso2_identity_server | >= 6.1.0 < 6.1.0.224 | 6.1.0.224 |
| wso2 | wso2_identity_server_as_key_manager | >= 5.10.0 < 5.10.0.340 | 5.10.0.340 |
| wso2 | wso2_open_banking_iam | >= 2.0.0 < 2.0.0.391 | 2.0.0.391 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-26
Published