CVE-2025-5717
Severity CVSS v4.0:
Pending analysis
Type:
CWE-94
Code Injection
Publication date:
23/09/2025
Last modified:
21/11/2025
Description
An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on the server.<br />
<br />
Exploitation of this vulnerability requires a valid user account with administrative privileges, limiting the attack surface to authenticated but potentially malicious users.
Impact
Base Score 3.x
6.80
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page