A file upload vulnerability exists in the throttling policy import REST API at /api/am/admin/v4/throttling/policies/import. The endpoint performs no validation on the filename in the multipart request, allowing an attacker with an apim:admin access token to write arbitrary files to the server via path traversal. Despite the server returning a 500 Internal Server Error, the file is written to disk before the error occurs, allowing JSP web shells to be placed into web-accessible directories.
The required apim:admin access token can be obtained without credentials via authentication bypass vulnerabilities (e.g., CVE-2025-9152, CVE-2025-10611), making this exploitable as part of a pre-auth RCE chain.
This vulnerability has been patched by the vendor.