Security Advisory WSO2-2025-4119/CVE-2025-5717

Published: 2025-07-15

Updated: 2025-10-31

Version: 1.0.1

Severity: Medium

CVSS Score: 6.8 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVE IDs: CVE-2025-5717

AFFECTED PRODUCTS

  • WSO2 API Manager: 3.0.0, 3.1.0, 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0
  • WSO2 Open Banking AM: 2.0.0
  • WSO2 API Control Plane: 4.5.0
  • WSO2 Traffic Manager: 4.5.0

OVERVIEW

Authenticated Remote Code Execution vulnerability via event processor admin service.

DESCRIPTION

Due to the improper input validation, a remote code execution attack could be carried out via certain admin operations in the event processor admin service.

IMPACT

In order to exploit this vulnerability, the malicious actor should have a valid user account which has administrative access to the SOAP Admin Services. If such access could be obtained, a malicious actor could execute arbitrary code on the server by deploying a Siddhi execution plan that contains malicious Java code.

SOLUTION

Community Users (Open Source)

Apply the relevant fixes to your product using the public fix(es) provided below.

If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).

Support Subscription Holders

Update your product to the specified update level or a higher update level to apply the fix.

Info

WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.

Product Name Product Version U2 Update Level
WSO2 API Manager 3.0.0 174
WSO2 API Manager 3.1.0 330
WSO2 API Manager 3.2.0 426
WSO2 API Manager 3.2.1 46
WSO2 API Manager 4.0.0 344
WSO2 API Manager 4.1.0 208
WSO2 API Manager 4.2.0 147
WSO2 API Manager 4.3.0 59
WSO2 API Manager 4.4.0 22
WSO2 API Manager 4.5.0 6
WSO2 Open Banking AM 2.0.0 379
WSO2 API Control Plane 4.5.0 6
WSO2 Traffic Manager 4.5.0 6

CREDITS

WSO2 thanks, Noël MACCARY for responsibly reporting the identified issue and working with us as we addressed it.