Skip to content
Security Alerts

CVE-2025-12107: Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin pr...

Security Alert - CVE-2025-12107 (Wso2 Identity Server). CVSS: 10.0 (critical). EPSS: 0%.

Marcin Godula Marcin Godula

Summary

ParameterValue
CVE IDCVE-2025-12107
Alert SourceNVD - New Critical Vulnerability
CVE Publication Year2025
Date Published2026-02-19
VendorWso2
ProductIdentity Server
CVSS Score10.0 (critical)
EPSS Score0.3% (percentile: 53%)
CISA KEVNo
RansomwareNot confirmed

Vulnerability Description

Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates.

Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.

Required Actions

Apply vendor patches or mitigations as soon as available.

Who Is Affected?

This vulnerability affects Identity Server by Wso2. Check if your organization uses this software and requires updates.

Sources

Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.

Tags:

cve-2025-12107 critical wso2 vulnerability

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Product Manager
Grzegorz Gnych

Grzegorz Gnych

Sales Representative

+48 664 003 003grzegorz.gnych@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist