Cyber Resilience

CVE-2022-29464

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 18 April 2022

Published
18 April 2022
Modified
07 November 2025
KEV Added
25 April 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9443 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-29464 is a critical-severity Path Traversal (CWE-22) vulnerability in Wso2 Identity Server Analytics. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2022-29464 is an unrestricted file upload vulnerability that permits remote code execution through directory traversal. It affects multiple WSO2 products including API Manager versions 2.2.0 through 4.0.0, Identity Server 5.2.0 through 5.11.0, Identity Server as Key Manager 5.3.0 through 5.11.0, Enterprise Integrator 6.2.0 through 6.6.0, and several related Open Banking and analytics components. The flaw resides in the handling of the /fileupload endpoint, where an attacker-supplied Content-Disposition header containing sequences such as ../../../../repository/deployment/server/webapps allows placement of arbitrary files under the web root.

Unauthenticated remote attackers can exploit the issue over the network by sending a crafted multipart request to the vulnerable endpoint. Successful exploitation grants the ability to write executable code into a web-accessible directory, resulting in full compromise of the confidentiality, integrity, and availability of the affected server with a CVSS score of 9.8.

WSO2 has published a security advisory (WSO2-2021-1738) that describes the affected versions and provides mitigation guidance; public proof-of-concept code and exploit modules have also been released. The associated EPSS score has reached a peak of 0.9750 with a current value of 0.9443, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects…

more

WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.

CWE(s)
KEV Date Added
25 April 2022

Related Threats

Threat-Actor AttributionAI

Cl0paka FIN11
Cl0p ransomware exploited WSO2 zero-day CVE-2022-29464 (CISA KEV + Mandiant reporting).

Affected Assets

wso2
api manager
2.2.0 — 4.0.0
wso2
enterprise integrator
6.2.0 — 6.6.0
wso2
identity server
5.2.0 — 5.11.0
wso2
identity server analytics
5.4.0, 5.4.1, 5.5.0, 5.6.0
wso2
identity server as key manager
5.3.0 — 5.10.0
wso2
open banking am
1.3.0 — 2.0.0
wso2
open banking iam
2.0.0
wso2
open banking km
1.3.0 — 1.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of file-upload inputs (including Content-Disposition headers) to reject directory traversal sequences and arbitrary file writes to the web root.

prevent

Requires explicit access-control enforcement on the /fileupload endpoint so that unauthenticated or unauthorized POST requests are denied before any file is stored.

prevent

Restricts the system to only the minimal set of functions, disabling or tightly constraining the unrestricted file-upload capability that the vulnerability exploits.

References