CVE-2025-10713
Published: 05 November 2025
Summary
CVE-2025-10713 is a medium-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Wso2 Api Manager. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-10713 is an XML External Entity (XXE) vulnerability, mapped to CWE-611, affecting multiple WSO2 products. The issue arises from improper configuration of the XML parser, which processes user-supplied XML input without sufficient restrictions on external entity resolution. Published on 2025-11-05T18:15:32.247, it carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H).
A remote, unauthenticated attacker can exploit this vulnerability by submitting malicious XML payloads. Successful exploitation enables the attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable, with high impacts on confidentiality and availability.
The primary advisory from WSO2 is available at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4505/, which security practitioners should review for detailed mitigation guidance, patches, and affected product versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-37941
Vulnerability details
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities. A successful attack could enable a remote,…
more
unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XXE vulnerability in public-facing WSO2 products enables exploitation of public-facing application (T1190), arbitrary file reads from server filesystem (T1005), and DoS via entity expansion (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of user-supplied XML inputs to reject or sanitize malicious external entities, directly preventing XXE exploitation for file disclosure or DoS.
CM-6 mandates secure configuration settings for the XML parser to disable external entity resolution, addressing the root cause of improper parser configuration in this CVE.
SI-2 ensures timely remediation of the identified XXE flaw through patching as recommended in the WSO2 advisory, eliminating the vulnerability.