CVE-2025-5717 Overview
CVE-2025-5717 is an authenticated remote code execution (RCE) vulnerability affecting multiple WSO2 products. The flaw exists in the event processor admin service due to improper input validation [CWE-94]. An attacker with administrative access to the SOAP admin services can deploy a Siddhi execution plan containing malicious Java code. This results in arbitrary code execution on the underlying server.
Exploitation requires a valid user account with administrative privileges, which limits the attack surface to authenticated users. The vulnerability affects WSO2 API Manager, WSO2 API Control Plane, WSO2 Open Banking AM, and WSO2 Traffic Manager.
Critical Impact
Authenticated administrators can achieve arbitrary code execution on the host, compromising confidentiality, integrity, and availability of the WSO2 deployment.
Affected Products
- WSO2 API Manager versions 3.0.0 through 4.5.0
- WSO2 API Control Plane 4.5.0 and WSO2 Traffic Manager 4.5.0
- WSO2 Open Banking AM 2.0.0
Discovery Timeline
- 2025-09-23 - CVE-2025-5717 published to NVD
- 2025-11-21 - Last updated in NVD database
Technical Details for CVE-2025-5717
Vulnerability Analysis
The vulnerability resides in the event processor admin service exposed through SOAP. WSO2 products rely on Siddhi, a streaming SQL engine, to define event execution plans. The admin service accepts user-supplied Siddhi execution plans without sufficient validation of their contents. An attacker with administrative credentials can craft an execution plan containing arbitrary Java code embedded within Siddhi constructs.
When the malicious plan is deployed, the server compiles and executes the embedded code in the context of the WSO2 runtime. This provides the attacker with the privileges of the WSO2 service account on the host. The flaw is classified under [CWE-94] (Improper Control of Generation of Code).
Root Cause
The event processor admin service fails to sanitize or restrict the Java payload contained in Siddhi execution plans submitted via SOAP. Trusted input is assumed because the endpoint requires administrative authentication. This assumption permits code injection at the engine level when administrator credentials are abused or compromised.
Attack Vector
The attack is network-based and requires high privileges. An authenticated administrator sends a SOAP request to the event processor admin service containing a Siddhi execution plan with embedded Java code. The server accepts the plan, compiles the Java payload, and executes it. Successful exploitation yields arbitrary code execution on the WSO2 server, with full impact on confidentiality, integrity, and availability.
No verified public proof-of-concept code is available. The vulnerability mechanism is described in the WSO2 Security Advisory WSO2-2025-4119.
Detection Methods for CVE-2025-5717
Indicators of Compromise
- Unexpected SOAP requests to the event processor admin service endpoint from administrative accounts
- New or modified Siddhi execution plans containing inline Java class definitions or import statements
- Child processes spawned by the WSO2 Carbon JVM that do not match normal product behavior, such as shell or scripting interpreters
- Outbound network connections initiated from the WSO2 server to unknown destinations following admin SOAP activity
Detection Strategies
- Audit WSO2 Carbon logs for deployments of execution plans through the event processor admin service, correlating with the authenticating user and source IP
- Monitor for anomalous file writes under WSO2 deployment directories such as repository/deployment/server/executionplans/
- Apply behavioral identification to flag the WSO2 JVM spawning unexpected child processes or loading dynamically compiled classes
Monitoring Recommendations
- Forward WSO2 audit and Carbon logs to a centralized SIEM for retention and correlation with authentication events
- Alert on administrative SOAP admin service usage from non-approved source addresses or outside maintenance windows
- Track file integrity on Siddhi execution plan directories and the WSO2 binaries
How to Mitigate CVE-2025-5717
Immediate Actions Required
- Apply the WSO2 update plan or WUM patches referenced in the vendor advisory for each affected product version
- Restrict network access to the SOAP admin services so they are reachable only from trusted management networks
- Rotate administrative credentials and review recent admin account activity for signs of unauthorized execution plan deployments
- Enforce least privilege for WSO2 administrator roles and remove dormant administrative accounts
Patch Information
WSO2 has published remediation guidance in WSO2 Security Advisory WSO2-2025-4119. Customers should follow the advisory to apply the appropriate WUM updates or migration paths for API Manager 3.0.0 through 4.5.0, API Control Plane 4.5.0, Open Banking AM 2.0.0, and Traffic Manager 4.5.0.
Workarounds
- Disable the event processor admin service if it is not required by the deployment
- Block external access to SOAP admin service endpoints at the network or reverse proxy layer
- Require multi-factor authentication for all WSO2 administrative accounts to reduce credential abuse risk
# Example reverse proxy restriction for SOAP admin services
location ~* ^/services/.*EventProcessorAdminService.* {
allow 10.10.0.0/24; # trusted management subnet
deny all;
proxy_pass https://wso2-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
