Impact
The vulnerability arises from the throttling event handler in multiple WSO2 products, which accepts user-supplied JSON payloads without sufficient validation. An unauthenticated remote attacker can craft malicious JSON and send it, triggering a related services. The disruption is permanent and requires manual intervention to restore normal operations.
Affected Systems
WSO2 API Control Plane, WSO2 API Manager, WSO2 Traffic Manager, and WSO2 Universal Gateway. All current versions of these products are affected.
Risk and Exploitability
With a CVSS score of 8.6 the vulnerability is classified as high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is unauthenticated remote, relying on sending malicious JSON to the throttling event API; no authentication or privileged access is required.
OpenCVE Enrichment