Skip to content
Security Alerts

CVE-2025-13590: A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled l...

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code exec...

Marcin Godula Marcin Godula

Summary

ParameterValue
CVE IDCVE-2025-13590
Alert SourceNVD - New Critical Vulnerability
CVE Publication Year2025
Date Published2026-02-19
VendorWso2
ProductApi Control Plane
CVSS Score9.1 (critical)
EPSS Score0.2% (percentile: 43%)
CISA KEVNo
RansomwareNot confirmed

Vulnerability Description

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

Required Actions

Apply vendor patches or mitigations as soon as available.

Who Is Affected?

This vulnerability affects Api Control Plane by Wso2. Check if your organization uses this software and requires updates.

Sources

Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.

Tags:

cve-2025-13590 critical wso2 vulnerability

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Product Manager
Grzegorz Gnych

Grzegorz Gnych

Sales Representative

+48 664 003 003grzegorz.gnych@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist