What We Do
How We Do
Get Started
Security advisories

Critical WSO2 Vulnerability Exploited

May 2, 2022 | 2 MINS READ

Speak With A Security Expert Now



There is confirmed exploitation of the critical WSO2 vulnerability CVE-2022-29464 (CVSS: 9.8). WSO2 is an open-source technology provider that maintains a variety of products relating to Application Program Interface (API) and Identity management. CVE-2022-29464 is an unrestricted file upload vulnerability impacting multiple WSO2 products. Successful exploitation allows for unauthenticated Remote Code Execution (RCE). The vulnerability was initially disclosed on April 1st, 2022, and in the wild exploitation was confirmed by CISA in late April.

Proof-of-Concept (PoC) exploits are publicly available for this vulnerability; as such, eSentire Threat Intelligence assesses that multiple threat actor groups are currently exploiting the vulnerability in real-world attacks. Organizations are strongly recommended to apply the mitigations outlined in the following “What you should do about it” section.

What we're doing about it

What you should do about it

Additional information

In order to exploit CVE-2022-29464, threat actor(s) would upload a malicious JSP (web shell) script to the vulnerable upload route /fileupload/toolsAny on the victim’s webserver and take the advantage of a path traversal (also known as directory traversal) vulnerability to write and run the web shell from the web root (for example repository/deployment/server/webapps). Public reporting suggests that to date, exploitation has resulted in the deployment of cryptocurrency-mining malware and web shells. Web shells and miner malware are often leveraged as early-stage payloads, prior to additional malicious activity. As PoC exploits are publicly available, there is the potential for widespread exploitation of CVE-2022-29464 in the near future.

Impacted WSO2 products:


[1] https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
[2] https://www.cisa.gov/uscert/ncas/current-activity/2022/04/25/cisa-adds-seven-known-exploited-vulnerabilities-catalog
[3] https://github.com/wso2/carbon-kernel/pull/3152
[4] https://github.com/wso2/carbon-identity-framework/pull/3864
[5] https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/167

View Most Recent Advisories