CVE-2025-5717 – This CVE describes an authenticated remote code... (How to Fix)

Q: What is the severity of CVE-2025-5717?

CVE-2025-5717 has a CVSS score of 6.8 (MEDIUM). This CVE describes an authenticated remote code execution vulnerability in WSO2 products where administrators can deploy malicious Java code through Siddhi execution plans. The vulnerability allows authenticated administrative users to execute arbitrary code on affected servers. Organizations using vulnerable WSO2 products with administrative SOAP services exposed are affected.

📋 TL;DR

This CVE describes an authenticated remote code execution vulnerability in WSO2 products where administrators can deploy malicious Java code through Siddhi execution plans. The vulnerability allows authenticated administrative users to execute arbitrary code on affected servers. Organizations using vulnerable WSO2 products with administrative SOAP services exposed are affected.

💻 Affected Systems

Products:

WSO2 API Manager
WSO2 Enterprise Integrator
WSO2 Identity Server
WSO2 Stream Processor

Versions: Multiple versions prior to security patches

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrative access to SOAP admin services; default installations with admin interfaces exposed are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Privileged insider threat or compromised admin account leading to data exfiltration and system manipulation.

🟢

If Mitigated

Limited impact due to proper access controls, monitoring, and network segmentation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires administrative credentials and knowledge of WSO2 SOAP admin services.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to WSO2 security advisory for specific product versions

Vendor Advisory: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4119/

Restart Required: No

Instructions:

1. Review WSO2 security advisory WSO2-2025-4119. 2. Apply recommended patches for your specific product and version. 3. Verify patch installation. 4. Monitor for any issues post-patch.

🔧 Temporary Workarounds

Restrict SOAP Admin Service Access

all

Limit network access to SOAP admin services to trusted IP addresses only

Configure firewall rules to restrict access to SOAP admin service ports
Implement network segmentation for admin interfaces

Disable Unnecessary Admin Services

all

Disable SOAP admin services if not required for operations

Modify WSO2 configuration files to disable unused admin services
Review and disable unnecessary service endpoints

🧯 If You Can't Patch

Implement strict access controls and monitoring for administrative accounts
Network segment admin interfaces and implement application firewalls

🔍 How to Verify

Check if Vulnerable:

Check WSO2 product version against affected versions listed in WSO2-2025-4119 advisory

Check Version:

Check WSO2 product documentation for version check commands specific to your installation

Verify Fix Applied:

Verify patch installation by checking version numbers and testing SOAP admin service functionality

📡 Detection & Monitoring

Log Indicators:

Unusual SOAP admin service requests
Suspicious Siddhi execution plan deployments
Java code execution attempts in logs

Network Indicators:

Unusual traffic to SOAP admin service endpoints
Malformed SOAP requests containing Java code

SIEM Query:

source="wso2-logs" AND (event="admin-service-access" OR event="siddhi-deployment") AND suspicious_patterns

📊 Metadata

CVE ID: CVE-2025-5717

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.63% exploit probability (69.8th percentile)

Published: September 23, 2025

Last Updated: November 21, 2025

🔗 References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4119/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5717, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Api Control Plane by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Api Manager by Wso2

Open Banking Am by Wso2

Traffic Manager by Wso2

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict SOAP Admin Service Access

Disable Unnecessary Admin Services

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities