CVE-2025-11093
Published: 05 November 2025
Summary
CVE-2025-11093 is a high-severity Code Injection (CWE-94) vulnerability in Wso2 Api Manager. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by identifying, reporting, and applying patches to fix insufficient restrictions in the GraalJS and NashornJS Script Mediator engines.
Enforces least privilege to restrict access to vulnerable scripting engines only to essential administrators, preventing high-privilege users from executing arbitrary code.
Prohibits or restricts unnecessary scripting mediator functions in the integration runtime, eliminating the capability for arbitrary code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary code execution vulnerability in GraalJS and NashornJS Script Mediator engines of WSO2 remote services directly enables T1210 (Exploitation of Remote Services) and facilitates T1059.007 (JavaScript) for command execution.
NVD Description
An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment. By default, access to…
more
these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.
Deeper analysisAI
CVE-2025-11093, published on 2025-11-05, is an arbitrary code execution vulnerability (CWE-94) with a CVSS v3.1 score of 8.4 (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) affecting multiple WSO2 products, including WSO2 Micro Integrator, WSO2 Enterprise Integrator, and WSO2 API Manager. The flaw arises from insufficient restrictions in the GraalJS and NashornJS Script Mediator engines, enabling authenticated users with elevated privileges to execute arbitrary code within the integration runtime environment.
Attackers require adjacent network access and high privileges to exploit this vulnerability with low complexity and no user interaction. By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager it extends to both administrators and API creators. Successful exploitation allows trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.
For details on mitigation, patches, and remediation steps, refer to the WSO2 security advisory at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/.
Details
- CWE(s)