Vulnerability Details CVE-2025-3125
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE).
This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 48.9%
CVSS Severity
CVSS v3 Score 6.7
Products affected by CVE-2025-3125
-
cpe:2.3:a:wso2:api_control_plane:4.5.0
-
cpe:2.3:a:wso2:api_manager:3.2.0
-
cpe:2.3:a:wso2:api_manager:3.2.1
-
cpe:2.3:a:wso2:api_manager:4.0.0
-
cpe:2.3:a:wso2:api_manager:4.1.0
-
cpe:2.3:a:wso2:api_manager:4.2.0
-
cpe:2.3:a:wso2:api_manager:4.3.0
-
cpe:2.3:a:wso2:api_manager:4.4.0
-
cpe:2.3:a:wso2:api_manager:4.5.0
-
cpe:2.3:a:wso2:enterprise_integrator:6.6.0
-
cpe:2.3:a:wso2:identity_server:5.10.0
-
cpe:2.3:a:wso2:identity_server:5.11.0
-
cpe:2.3:a:wso2:identity_server:6.0.0
-
cpe:2.3:a:wso2:identity_server:6.1.0
-
cpe:2.3:a:wso2:identity_server:7.0.0
-
cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0
-
cpe:2.3:a:wso2:open_banking_iam:2.0.0
-
cpe:2.3:a:wso2:traffic_manager:4.5.0
-
cpe:2.3:a:wso2:universal_gateway:4.5.0