CVE-2025-10907 Overview
CVE-2025-10907 is an arbitrary file upload vulnerability affecting multiple WSO2 products. The flaw exists in SOAP admin services that insufficiently validate uploaded content and destination paths. An authenticated attacker with administrative privileges can upload a crafted file to a user-controlled location within the deployment. Depending on how the server processes the uploaded artifact, exploitation can result in remote code execution (RCE). The weakness is tracked under [CWE-434] (Unrestricted Upload of File with Dangerous Type) and impacts products including WSO2 API Manager, Identity Server, Enterprise Integrator, Open Banking AM/IAM, Traffic Manager, Universal Gateway, and API Control Plane.
Critical Impact
Administrative attackers can write arbitrary files to controlled deployment locations, enabling potential remote code execution on affected WSO2 servers.
Affected Products
- WSO2 API Manager (3.1.0 through 4.5.0) and API Control Plane 4.5.0
- WSO2 Identity Server (5.10.0 through 7.1.0) and Identity Server as Key Manager 5.10.0
- WSO2 Enterprise Integrator 6.6.0, Open Banking AM/IAM 2.0.0, Traffic Manager 4.5.0, Universal Gateway 4.5.0
Discovery Timeline
- 2025-11-05 - CVE-2025-10907 published to the National Vulnerability Database (NVD)
- 2025-12-04 - Last updated in NVD database
- Vendor advisory - WSO2 Security Advisory WSO2-2025-4603
Technical Details for CVE-2025-10907
Vulnerability Analysis
The vulnerability resides in SOAP admin services exposed by WSO2 products. These services accept file uploads but fail to enforce strict validation on both the content type and the destination directory. An authenticated administrator can therefore submit a SOAP request containing arbitrary file bytes and direct the server to write the file to a path under attacker control.
When the uploaded file lands in a location that the WSO2 runtime later processes, such as a deployment directory monitored for hot deployment of services, libraries, or configuration, the file contents can be executed by the server. This converts a write primitive into remote code execution under the WSO2 service account.
The issue requires administrative access by default. However, environments that share admin credentials, expose management consoles to wide networks, or chain this flaw with earlier authentication weaknesses face increased risk.
Root Cause
The SOAP admin services do not enforce an allowlist of acceptable file extensions, MIME types, or destination directories. Input validation is missing for both the file payload and the target path, allowing path manipulation and dangerous file types to be written to sensitive runtime locations.
Attack Vector
Exploitation is performed over the network against the SOAP management endpoints. The attacker authenticates with administrative credentials, then issues a SOAP request that specifies the file payload and a target deployment path. After the file is written, the WSO2 runtime processes the artifact and executes attacker-controlled code.
The vulnerability is described in prose only because no public proof-of-concept exploit has been released. Refer to the WSO2 Security Advisory WSO2-2025-4603 for vendor-confirmed technical details.
Detection Methods for CVE-2025-10907
Indicators of Compromise
- New or unexpected files appearing in WSO2 deployment directories such as repository/deployment/server/ or repository/components/lib/
- SOAP requests to admin services (for example, endpoints under /services/) carrying base64-encoded file payloads from administrative sessions
- Outbound network connections or child processes spawned by the WSO2 Java process shortly after admin SOAP activity
Detection Strategies
- Monitor WSO2 audit logs for administrative SOAP calls that include file upload operations and correlate with subsequent file system writes
- Apply file integrity monitoring to deployment, library, and configuration directories used by WSO2 runtimes
- Hunt for anomalous administrator logins originating from unexpected IP ranges or outside maintenance windows
Monitoring Recommendations
- Forward WSO2 carbon logs, audit logs, and HTTP access logs to a centralized SIEM for correlation
- Alert on process executions where the WSO2 Java process spawns shells, scripting interpreters, or networking utilities
- Track changes to webapps/, repository/deployment/, and any custom artifact directories referenced by the deployment
How to Mitigate CVE-2025-10907
Immediate Actions Required
- Apply the fixes listed in WSO2 Security Advisory WSO2-2025-4603 to all affected product versions
- Restrict network access to SOAP admin services so they are reachable only from trusted management networks
- Rotate administrative credentials and review accounts with admin privileges on WSO2 deployments
- Audit deployment directories for unexpected artifacts created since the product was first exposed
Patch Information
WSO2 has published remediation guidance in advisory WSO2-2025-4603 covering API Manager, Identity Server, Enterprise Integrator, Open Banking AM/IAM, Traffic Manager, Universal Gateway, API Control Plane, and Identity Server as Key Manager. Customers should consult the advisory for the specific WUM updates or version upgrades that apply to their installation.
Workarounds
- Limit administrative role membership and require multi-factor authentication for management console access
- Place WSO2 management interfaces behind a reverse proxy or VPN that restricts source IP addresses
- Disable or block external access to unused SOAP admin services where business requirements allow
# Example: restrict SOAP admin service exposure at the reverse proxy
# (illustrative configuration - adapt to your environment)
location /services/ {
allow 10.0.0.0/8; # internal management network
deny all;
proxy_pass https://wso2-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

