CVE-2025-3125
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE).
This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions.
| Software | From | Fixed in |
|---|---|---|
| wso2 / api_control_plane | 4.5.0 | 4.5.0.x |
| wso2 / api_manager | 3.2.0 | 3.2.0.x |
| wso2 / api_manager | 3.2.1 | 3.2.1.x |
| wso2 / api_manager | 4.0.0 | 4.0.0.x |
| wso2 / api_manager | 4.1.0 | 4.1.0.x |
| wso2 / api_manager | 4.2.0 | 4.2.0.x |
| wso2 / api_manager | 4.3.0 | 4.3.0.x |
| wso2 / api_manager | 4.4.0 | 4.4.0.x |
| wso2 / api_manager | 4.5.0 | 4.5.0.x |
| wso2 / enterprise_integrator | 6.6.0 | 6.6.0.x |
| wso2 / identity_server | 5.10.0 | 5.10.0.x |
| wso2 / identity_server | 5.11.0 | 5.11.0.x |
| wso2 / identity_server | 6.0.0 | 6.0.0.x |
| wso2 / identity_server | 6.1.0 | 6.1.0.x |
| wso2 / identity_server | 7.0.0 | 7.0.0.x |
| wso2 / identity_server_as_key_manager | 5.10.0 | 5.10.0.x |
| wso2 / open_banking_iam | 2.0.0 | 2.0.0.x |
| wso2 / traffic_manager | 4.5.0 | 4.5.0.x |
| wso2 / universal_gateway | 4.5.0 | 4.5.0.x |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime