CVE-2025-1862

Published: Sep 26, 2025Modified: Oct 6, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service endpoint. A malicious actor with administrative privileges can upload arbitrary files to a user-controlled location on the server. By leveraging this vulnerability, an attacker can upload a specially crafted payload and achieve remote code execution (RCE), potentially compromising the server and its data.

Affected (7)

Products: Wso2: Enterprise Integrator, Identity Server, Identity Server As Key Manager, Open Banking Iam

Wso2

4 products

Enterprise Integrator

Identity Server

Identity Server As Key Manager

Open Banking Iam

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Wso2 Enterprise Integrator	Version 6.6.0
Wso2 Identity Server	Version 5.10.0
Wso2 Identity Server	Version 5.11.0
Wso2 Identity Server	Version 6.0.0
Wso2 Identity Server	Version 6.1.0
Wso2 Identity Server As Key Manager	Version 5.10.0
Wso2 Open Banking Iam	Version 2.0.0

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (1)

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3992/

Source: ed10eef1-636d-4fbe-9993-6890dfa878f8

Vendor Advisory

Timeline

No history available yet.