Cyber Posture

CVE-2025-11093

High

Published: 05 November 2025

Published
05 November 2025
Modified
09 January 2026
KEV Added
Patch
CVSS Score 8.4 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0011 28.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse various implementations of JavaScript for execution.

Security Summary

CVE-2025-11093, published on 2025-11-05, is an arbitrary code execution vulnerability (CWE-94) with a CVSS v3.1 score of 8.4 (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) affecting multiple WSO2 products, including WSO2 Micro Integrator, WSO2 Enterprise Integrator, and WSO2 API Manager. The flaw arises from insufficient restrictions in the GraalJS and NashornJS Script Mediator engines, enabling authenticated users with elevated privileges to execute arbitrary code within the integration runtime environment.

Attackers require adjacent network access and high privileges to exploit this vulnerability with low complexity and no user interaction. By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager it extends to both administrators and API creators. Successful exploitation allows trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.

For details on mitigation, patches, and remediation steps, refer to the WSO2 security advisory at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/.

Details

CWE(s)
CWE-94

Affected Products

wso2
api control plane
4.5.0 — 4.5.0.29
wso2
api manager
3.1.0 — 3.1.0.345 · 3.2.0 — 3.2.0.446 · 3.2.1 — 3.2.1.66
wso2
enterprise integrator
6.6.0 — 6.6.0.224
wso2
micro integrator
4.0.0 — 4.0.0.145 · 4.1.0 — 4.1.0.147 · 4.2.0 — 4.2.0.141
wso2
traffic manager
4.5.0 — 4.5.0.27
wso2
universal gateway
4.5.0 — 4.5.0.27

MITRE ATT&CK Enterprise Techniques

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

Arbitrary code execution vulnerability in GraalJS and NashornJS Script Mediator engines of WSO2 remote services directly enables T1210 (Exploitation of Remote Services) and facilitates T1059.007 (JavaScript) for command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References