What is WSO2?
WSO2 is an open-source middleware platform widely used by enterprises and government agencies for API management, identity and access management, integration, and enterprise service bus (ESB) functions. WSO2 products — including API Manager, Identity Server, Enterprise Integrator, Open Banking, IS as Key Manager, and Carbon — are deployed in internet-facing roles to manage authentication, API gateways, and integration workflows. Because WSO2 products often act as the authentication and API gateway layer for enterprise applications, compromising them can provide access to every downstream application and API they protect.
Overview
CVE-2022-29464 is a critical unrestricted file upload vulnerability (CWE-22, CVSS 9.8) affecting multiple WSO2 products. An unauthenticated remote attacker can upload a malicious file to the WSO2 management console, which is then placed in a web-accessible directory and executed by the application server — achieving pre-authentication remote code execution. CISA added this to KEV just 7 days after CVE publication, indicating immediate active exploitation. The ransomwareUse: true designation reflects subsequent use by ransomware operators targeting enterprise middleware deployments.
Affected Versions
| Product | Vulnerable Versions | Fixed Version |
|---|---|---|
| WSO2 API Manager | 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, 4.0.0 | 4.1.0 / patch |
| WSO2 Identity Server | 5.2.0–5.11.0 | Patched update |
| WSO2 Identity Server as Key Manager | 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0 | Patched update |
| WSO2 Enterprise Integrator | 6.2.0–6.6.0 | Patched update |
| WSO2 Open Banking AM | 1.3.0–2.0.0 | Patched update |
Technical Details
The vulnerability (CWE-22: Path Traversal / unrestricted file upload) exists in WSO2's file upload functionality within the management console. The management console allows administrators to deploy web applications (WAR files) and other resources, but the file type and content validation is insufficient or bypassable.
An unauthenticated attacker can send a crafted multipart HTTP request to the management console's file upload endpoint, submitting a malicious file (such as a JSP web application archive) that bypasses the upload restrictions. The uploaded file is extracted and placed in the WSO2 server's web application directory, from which the Java web server executes it on the next HTTP request. The attacker then sends an HTTP request directly to the uploaded file's path, triggering code execution with the privileges of the WSO2 service account.
The attack chain requires no prior knowledge of the system beyond the WSO2 management console URL and completes in two HTTP requests.
Discovery
The vulnerability was discovered by security researchers and reported to WSO2 through responsible disclosure. WSO2 assigned internal tracking number WSO2-2021-1738 (note: discovered in 2021, patched and publicly disclosed in April 2022 after patch development).
Exploitation Context
WSO2 products are deployed by government agencies, financial institutions, healthcare organizations, and large enterprises — making them high-value targets for both nation-state actors and ransomware operators. Within days of the CVE being published in April 2022, researchers observed mass scanning and exploitation attempts targeting internet-exposed WSO2 management consoles.
Active exploitation included:
- Uploading JSP-based web shells to establish persistent access
- Exfiltration of WSO2 configuration files containing API keys, database credentials, and LDAP/Active Directory connection details
- Using WSO2 API gateway credentials to access downstream protected applications
- Ransomware groups deploying payloads through established footholds
The ransomwareUse: true designation reflects confirmed use of this vulnerability as an initial access vector in ransomware campaigns, taking advantage of WSO2's privileged position in enterprise authentication flows.
Remediation
- Apply WSO2 patches immediately: Update to patched versions per WSO2 Security Advisory WSO2-2021-1738. WSO2 released both full product updates and security patches.
- Restrict management console access: The WSO2 management console (typically on port 9443) should not be internet-facing. Restrict access to authorized administrator networks via firewall or reverse proxy.
- Review for uploaded webshells: Inspect the WSO2 web application deployment directory for unexpected
.war,.jsp,.jspx, or.classfiles that may be webshells from prior exploitation. - Rotate all WSO2 credentials: If internet exposure existed, assume WSO2 configuration files (including OAuth tokens, API keys, database passwords, LDAP credentials) have been compromised. Rotate all credentials.
- Audit downstream API consumers: Review WSO2 API gateway logs for unauthorized API calls using harvested credentials or tokens.
- Enable WAF rules: Deploy web application firewall rules blocking multipart file upload requests to the management console endpoint from untrusted networks.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2022-29464 |
| Vendor / Product | WSO2 — Multiple Products |
| NVD Published | 2022-04-18 |
| NVD Last Modified | 2025-11-07 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-22 find similar ↗ |
| CISA KEV Added | 2022-04-25 |
| CISA KEV Deadline | 2022-05-16 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2022-04-18 | CVE published; WSO2 Security Advisory WSO2-2021-1738 released |
| 2022-04-25 | CISA added to KEV (7 days after disclosure); active exploitation confirmed |
| 2022-05-16 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2022-29464 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| WSO2 Security Advisory WSO2-2021-1738 | Vendor Advisory |