Unrated severityNVD Advisory· Published Nov 5, 2025· Updated Nov 5, 2025

Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution

CVE-2025-10907

Description

An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment.

Successful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.

Affected products

Wso2/Wso2 Traffic Managerv5
Range: 4.5.0
Wso2/Org.wso2.carbon:org.wso2.carbon.utilsv5
Range: 4.5.3
WSO2/WSO2 Open Banking IAMv5
Range: 2.0.0
WSO2/WSO2 Universal Gatewayv5
Range: 4.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4603/mitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000