WSO2 CVE-2022-29464: an upload bug on the box that brokers your APIs and logins

CVE-2022-29464 is, mechanically, a bug we’ve seen many times: an unrestricted file upload with path traversal that lets an unauthenticated attacker write a file outside the intended directory, drop a web shell into a web-reachable location, and get remote code execution. The same shape as the dotCMS upload bug, where the upload handler trusted attacker-controlled path data. What makes this one worth its own note isn’t the mechanism; it’s the product. WSO2 makes API management, identity server, and enterprise integration middleware, the components that sit in front of your services and authenticate your users. RCE there is RCE on the access and integration layer.

What the bug is

CVE-2022-29464 is an unrestricted file upload vulnerability (CWE-22 path traversal) affecting multiple WSO2 products, including API Manager, Identity Server, and Enterprise Integrator. An unauthenticated attacker uploads a malicious file whose path escapes the intended location, plants a web shell, and executes code as the WSO2 user. CISA added it with the ransomware flag, and it was mass-exploited after disclosure, with public exploits and scanning following quickly. Patches and mitigation guidance came from WSO2 across affected versions.

Why the asset raises the stakes

WSO2’s products are infrastructure for access and integration:

• API Manager / gateway sits in front of your APIs, often holding the keys, tokens, and routing for service-to-service and partner traffic. Code execution there is a position to intercept, forge, and redirect API calls.
• Identity Server authenticates users and issues tokens. Compromising it is compromising the identity layer, the same crown-jewel concern as the VMware Workspace ONE and ManageEngine bugs.
• Enterprise Integrator brokers data between systems, so it tends to hold credentials and connectivity into many backends.

A “generic” upload bug becomes a high-severity incident because of what the compromised box can reach and impersonate. This is the recurring theme of the catalog’s middleware entries: the bug class is ordinary, the placement is not.

What to do

• Patch WSO2 to a fixed version, per WSO2’s advisory for your specific product and version. Given unauthenticated RCE with public exploitation, treat it as urgent.
• Get the WSO2 management and upload endpoints off the open internet where the architecture allows, behind a gateway or access controls. Public exposure is what made the mass-scanning effective.
• Assume compromise on exposed, unpatched instances. Hunt for web shells in WSO2 web directories, the WSO2/Java process spawning shells, and unexpected outbound connections. Because this is identity and API infrastructure, also rotate the credentials, keys, and tokens it held, and review for token forgery or API abuse.
• Treat API and identity middleware as tier-zero. Inventory where WSO2 (and equivalents) run, segment them, and apply the same patch urgency and monitoring you’d give a domain controller.

The reframe is the one that keeps recurring through the middleware entries: don’t rank a bug by its class alone, rank it by what it lands on. A file-upload RCE is routine until it’s on the server that authenticates your users and fronts your APIs, at which point it’s a path to the access layer of the whole environment. Patch WSO2, take its admin surface off the internet, and classify your API and identity middleware as the high-value infrastructure it is. We flag these middleware entries because the unremarkable bug on the remarkable box is exactly where intrusions get their leverage.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2022-29464 — 2022-04
• WSO2 Security Advisory WSO2-2021-1738 (CVE-2022-29464) — 2022-04
• Rapid7: WSO2 arbitrary file upload (CVE-2022-29464) — 2022