CVE-2025-13590

Critical

Published: 19 February 2026

Published

19 February 2026

Modified

20 February 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0011 28.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform…

Remote Code Execution by uploading a specially crafted payload.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates unrestricted upload of dangerous file types via the REST API by validating all information inputs including file contents and extensions.

AC-6 Least Privilege good match

prevent

Enforces least privilege to prevent administrators from having unnecessary permissions for arbitrary file uploads to user-controlled locations.

CM-7 Least Functionality partial match

prevent

Limits system functionality by configuring the deployment to exclude or restrict non-essential arbitrary file upload capabilities in the REST API.

Security SummaryAI

CVE-2025-13590 is a critical vulnerability (CVSS 9.1) in WSO2 deployments that enables a malicious actor with administrative privileges to upload an arbitrary file to a user-controlled location via a system REST API. Successful exploitation may result in remote code execution (RCE) by leveraging a specially crafted payload. The issue is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Attackers require high privileges (PR:H) but can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving a scope change (S:C) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). A compromised administrator could upload malicious files to trigger RCE within the affected deployment.

For mitigation details, refer to the WSO2 security advisory at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/.

Details

CWE(s): NVD-CWE-noinfo CWE-434

Affected Products

wso2

api control plane

4.5.0, 4.6.0

wso2

api manager

4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0

wso2

traffic manager

4.5.0, 4.6.0

wso2

universal gateway

4.5.0, 4.6.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The vulnerability in WSO2 REST API enables exploitation of a public-facing or remote service (T1190, T1210) via unrestricted arbitrary file upload (CWE-434), directly facilitating RCE through specially crafted payloads such as web shells (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/
Vendor Advisory · ed10eef1-636d-4fbe-9993-6890dfa878f8