Login Sign Up

CVE-2022-29464

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2022-29464 is a critical unrestricted file upload vulnerability in multiple WSO2 products that allows attackers to upload malicious files to web-accessible directories via directory traversal. This leads to remote code execution by uploading webshells or other executable content. Affected organizations include those using WSO2 API Manager, Identity Server, Enterprise Integrator, and Open Banking components within specified vulnerable versions.

💻 Affected Systems

Products:
  • WSO2 API Manager
  • WSO2 Identity Server
  • WSO2 Identity Server Analytics
  • WSO2 Identity Server as Key Manager
  • WSO2 Enterprise Integrator
  • WSO2 Open Banking AM
  • WSO2 Open Banking KM
Versions: WSO2 API Manager 2.2.0 to 4.0.0, WSO2 Identity Server 5.2.0 to 5.11.0, WSO2 Identity Server Analytics 5.4.0-5.6.0, WSO2 Identity Server as Key Manager 5.3.0 to 5.11.0, WSO2 Enterprise Integrator 6.2.0 to 6.6.0, WSO2 Open Banking AM 1.4.0 to 2.0.0, WSO2 Open Banking KM 1.4.0 to 2.0.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects default installations; exploitation requires access to the /fileupload endpoint which may be exposed in default configurations.

📦 What is this software?

Api Manager by Wso2

View all CVEs affecting Api Manager →

Enterprise Integrator by Wso2

View all CVEs affecting Enterprise Integrator →

Identity Server by Wso2

View all CVEs affecting Identity Server →

Identity Server Analytics by Wso2

View all CVEs affecting Identity Server Analytics →

Identity Server Analytics by Wso2

View all CVEs affecting Identity Server Analytics →

Identity Server Analytics by Wso2

View all CVEs affecting Identity Server Analytics →

Identity Server Analytics by Wso2

View all CVEs affecting Identity Server Analytics →

Identity Server As Key Manager by Wso2

View all CVEs affecting Identity Server As Key Manager →

Open Banking Am by Wso2

View all CVEs affecting Open Banking Am →

Open Banking Iam by Wso2

View all CVEs affecting Open Banking Iam →

Open Banking Km by Wso2

View all CVEs affecting Open Banking Km →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the affected server, enabling data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to webshell deployment, credential harvesting, and potential data exfiltration from the compromised system.

🟢

If Mitigated

Limited impact with proper network segmentation and file upload restrictions, potentially only allowing file upload without execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit scripts and proof-of-concepts are available; exploitation is straightforward with known directory paths.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: WSO2 has released security updates for all affected products; specific versions vary by product line.

Vendor Advisory: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/

Restart Required: Yes

Instructions:

1. Identify affected WSO2 product and version. 2. Download and apply the latest security patch from WSO2's official security advisory. 3. Restart the WSO2 service to apply changes. 4. Verify the patch by checking version and testing the /fileupload endpoint.

🔧 Temporary Workarounds

Block /fileupload endpoint

all

Configure web server or firewall rules to block access to the vulnerable /fileupload endpoint.

# Example for Apache: RewriteRule ^/fileupload - [F,L]
# Example for Nginx: location ~ /fileupload { deny all; }

Restrict file upload directory permissions

linux

Set strict file permissions on web-accessible directories to prevent execution of uploaded files.

chmod -R 644 /path/to/webapps/
chown -R root:root /path/to/webapps/

🧯 If You Can't Patch

  • Implement strict network access controls to limit access to WSO2 management interfaces
  • Deploy web application firewall (WAF) rules to detect and block directory traversal attempts in file upload requests

🔍 How to Verify

Check if Vulnerable:

Check if the /fileupload endpoint is accessible and test with a benign file upload containing directory traversal sequences (e.g., ../../test.txt).

Check Version:

Check WSO2 product documentation for version command; typically found in management console or product logs.

Verify Fix Applied:

Verify the WSO2 product version is updated beyond vulnerable ranges and test that /fileupload endpoint no longer accepts directory traversal sequences.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file upload requests to /fileupload endpoint
  • HTTP requests containing directory traversal sequences (../)
  • Unexpected file creations in webapps directories

Network Indicators:

  • POST requests to /fileupload with Content-Disposition headers containing ../ patterns
  • Unusual outbound connections from WSO2 servers post-file upload

SIEM Query:

source="*wso2*" AND (url="/fileupload" OR message="*../*")

📊 Metadata

CVE ID: CVE-2022-29464
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: April 18, 2022
Last Updated: November 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29464, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)