CVE-2025-5717 is a vulnerability classified under CWE-94 (Improper Control of Generation of Code), affecting multiple versions of WSO2 API Manager from 3.0.0 to 4.5.0. The flaw exists in the event processor admin service, which accepts Siddhi execution plans for event processing. Due to insufficient input validation, an authenticated user with administrative privileges can craft and deploy a Siddhi execution plan embedding malicious Java code. This leads to remote code execution (RCE) on the server hosting the API Manager. The vulnerability requires authentication with high privileges but does not require user interaction, making it exploitable by insiders or compromised admin accounts. The CVSS 3.1 score of 6.8 reflects a medium severity with high impact on confidentiality, integrity, and availability, and low attack complexity. No public exploits or patches have been published yet, increasing the urgency for organizations to monitor updates and apply mitigations proactively. The vulnerability could allow attackers to execute arbitrary commands, potentially leading to full system compromise, data exfiltration, or disruption of API services.

For European organizations, this vulnerability poses a significant risk especially for those relying on WSO2 API Manager for critical API gateway and management functions. Successful exploitation could lead to unauthorized access to sensitive data, manipulation or disruption of API services, and potential lateral movement within internal networks. This could impact confidentiality, integrity, and availability of enterprise systems and data. Organizations in sectors such as finance, telecommunications, healthcare, and government, which often use API management platforms extensively, may face operational disruptions and regulatory compliance issues. The requirement for administrative access limits the attack surface but also highlights the importance of securing privileged accounts. If exploited, attackers could deploy backdoors, exfiltrate data, or disrupt business-critical APIs, affecting service continuity and trust.

1. Restrict administrative access to the WSO2 API Manager’s SOAP admin services strictly to trusted personnel and systems. 2. Implement strong multi-factor authentication (MFA) for all administrative accounts to reduce risk of credential compromise. 3. Monitor and audit all administrative actions and deployments of Siddhi execution plans for suspicious activity. 4. Apply the latest security patches and updates from WSO2 as soon as they become available. 5. Employ network segmentation to isolate API management infrastructure from broader enterprise networks. 6. Use application-layer firewalls or API gateways with anomaly detection to identify and block malicious payloads. 7. Conduct regular security reviews of Siddhi execution plans and restrict the ability to deploy or modify them to minimal necessary personnel. 8. Prepare incident response plans specifically addressing potential API management compromise scenarios.