Security Advisory WSO2-2026-5039/CVE-2025-5717¶
Published: 2026-05-03
Version: 1.0.0
Severity: Critical
CVSS Score: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE IDs: CVE-2025-5717
AFFECTED PRODUCTS¶
- API Manager Analytics: 2.1.0
- WSO2 API Manager: 3.0.0, 2.6.0, 2.5.0, 2.2.0, 2.1.0
- WSO2 Enterprise Integrator: 6.1.1, 6.1.0, 6.0.0
- WSO2 Identity Server Analytics: 5.4.1, 5.4.0, 5.3.0, 5.2.0
OVERVIEW¶
Arbitrary Remote Code Execution vulnerability via the Siddhi Try It feature.
DESCRIPTION¶
The Siddhi Try It feature allows an unauthenticated attacker to submit crafted Siddhi execution plans and obtain remote command execution.
IMPACT¶
By leveraging the vulnerability, an unauthenticated attacker can execute arbitrary code on the affected server.
SOLUTION¶
Community Users (Open Source)¶
Migrate to the latest unaffected version of the respective WSO2 product(s).
Support Subscription Holders¶
Update your product to the specified update level, or to a higher update level, to mitigate the identified vulnerability.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product Name | Product Version | Update Level |
|---|---|---|
| API Manager Analytics | 2.1.0 | 20 |
| WSO2 API Manager | 3.0.0 | 181 |
| WSO2 API Manager | 2.6.0 | 151 |
| WSO2 API Manager | 2.5.0 | 88 |
| WSO2 API Manager | 2.2.0 | 62 |
| WSO2 API Manager | 2.1.0 | 43 |
| WSO2 Enterprise Integrator | 6.1.1 | 44 |
| WSO2 Enterprise Integrator | 6.1.0 | 40 |
| WSO2 Enterprise Integrator | 6.0.0 | 23 |
| WSO2 Identity Server Analytics | 5.4.1 | 19 |
| WSO2 Identity Server Analytics | 5.4.0 | 16 |
| WSO2 Identity Server Analytics | 5.3.0 | 18 |
| WSO2 Identity Server Analytics | 5.2.0 | 20 |