CVE-2025-13590
Published: 19 February 2026
Summary
CVE-2025-13590 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wso2 Api Manager. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates unrestricted upload of dangerous file types via the REST API by validating all information inputs including file contents and extensions.
Enforces least privilege to prevent administrators from having unnecessary permissions for arbitrary file uploads to user-controlled locations.
Limits system functionality by configuring the deployment to exclude or restrict non-essential arbitrary file upload capabilities in the REST API.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in WSO2 REST API enables exploitation of a public-facing or remote service (T1190, T1210) via unrestricted arbitrary file upload (CWE-434), directly facilitating RCE through specially crafted payloads such as web shells (T1100).
NVD Description
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform…
more
Remote Code Execution by uploading a specially crafted payload.
Deeper analysisAI
CVE-2025-13590 is a critical vulnerability (CVSS 9.1) in WSO2 deployments that enables a malicious actor with administrative privileges to upload an arbitrary file to a user-controlled location via a system REST API. Successful exploitation may result in remote code execution (RCE) by leveraging a specially crafted payload. The issue is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
Attackers require high privileges (PR:H) but can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving a scope change (S:C) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). A compromised administrator could upload malicious files to trigger RCE within the affected deployment.
For mitigation details, refer to the WSO2 security advisory at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/.
Details
- CWE(s)