Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution

Multiple SOAP admin services in WSO2 products allow authenticated users to upload files with insufficient validation on the filename or extension. By using path traversal in the filename, an attacker can write arbitrary files to the server, including JSP web shells into web-accessible directories.

The vulnerability exists independently in multiple services, including EventSimulatorAdminService, LibraryUploader, ModuleAdminService, WebappAdmin, and JaggeryAppAdmin. The latter two provide an even more direct path, accepting .war archives that are automatically extracted into a web-accessible directory.

When combined with authentication bypass vulnerabilities (CVE-2025-9152, CVE-2025-10611), this enables full pre-auth remote code execution.

This vulnerability was responsibly disclosed and has been patched by the vendor.

Affected products

• WSO2 API Control Plane 4.5.0
• WSO2 API Manager 3.1.0 - 4.5.0
• WSO2 Enterprise Integrator 6.6.0
• WSO2 Identity Server 5.10.0 - 7.1.0
• WSO2 Identity Server as Key Manager 5.10.0
• WSO2 Open Banking AM 2.0.0
• WSO2 Open Banking IAM 2.0.0
• WSO2 Traffic Manager 4.5.0
• WSO2 Micro Integrator 4.0.0 - 4.2.0
• WSO2 Universal Gateway 4.5.0

See also

• WSO2: Security Advisory WSO2-2025-4603/CVE-2025-10907