CVE-2025-10907

High

Published: 05 November 2025

Published

05 November 2025

Modified

04 December 2025

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0041 61.4th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10907 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wso2 Api Manager. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 38.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the core issue of insufficient validation of uploaded content and destination in SOAP admin services by enforcing input validation mechanisms.

SI-2 Flaw Remediation good match

prevent

Remediates the specific arbitrary file upload flaw by identifying, prioritizing, and applying vendor patches or updates from the WSO2 security advisory.

AC-6 Least Privilege partial match

prevent

Reduces exploitability by ensuring only essential personnel have the high administrative privileges required to access the vulnerable SOAP services.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Arbitrary file upload in authenticated SOAP admin services enables exploitation of remote services for RCE (T1210) and facilitates web shell deployment (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within…

the deployment. Successful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.

Deeper analysisAI

CVE-2025-10907 is an arbitrary file upload vulnerability affecting multiple WSO2 products, caused by insufficient validation of uploaded content and destination in SOAP admin services. Published on 2025-11-05, it allows a malicious actor with administrative privileges to upload a specially crafted file to a user-controlled location within the deployment. The issue is classified under CWE-434 and carries a CVSS v3.1 base score of 8.4 (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

Exploitation requires administrative access to the affected SOAP services. An attacker with such privileges can upload a malicious file, which may lead to remote code execution (RCE) on the server, depending on how the file is subsequently processed. The adjacent network access vector (AV:A) and high privileges requirement (PR:H) limit the blast radius, but successful scope change (S:C) enables high-impact confidentiality, integrity, and availability violations.

Mitigation guidance is available in the WSO2 security advisory at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4603/.

Details

CWE(s): CWE-434

Affected Products

wso2

api control plane

4.5.0

wso2

api manager

3.1.0, 3.2.0, 3.2.1, 4.0.0, 4.1.0

wso2

enterprise integrator

6.6.0

wso2

identity server

5.10.0, 5.11.0, 6.0.0, 6.1.0, 7.0.0

wso2

identity server as key manager

5.10.0

wso2

open banking am

2.0.0

wso2

open banking iam

2.0.0

wso2

traffic manager

4.5.0

wso2

universal gateway

4.5.0

CVEs Like This One

CVE-2025-13590Same product: Wso2 Api Control Plane

CVE-2025-10713Same product: Wso2 Api Control Plane

CVE-2025-10611Same product: Wso2 Api Control Plane

CVE-2025-11093Same product: Wso2 Api Control Plane

CVE-2024-2374Same product: Wso2 Api Manager

CVE-2024-1524Same product: Wso2 Api Manager

CVE-2025-12107Same product: Wso2 Identity Server

CVE-2024-8010Same product: Wso2 Api Manager

CVE-2024-56264Shared CWE-434

CVE-2024-56249Shared CWE-434

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4603/
Vendor Advisory · ed10eef1-636d-4fbe-9993-6890dfa878f8