What is the CVSS score of CVE-2025-13590?

CVE-2025-13590 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of Api Manager are affected by CVE-2025-13590?

Api Control Plane versions 4.5.0 and below contain a critical vulnerability allowing attackers to upload malicious files, potentially leading to unauthorized code execution and complete system…. A patch is available.

How to fix or mitigate CVE-2025-13590?

Within 24 hours: Identify all Api Control Plane instances running version 4.5.0 or earlier and isolate them from production networks if possible; enable enhanced logging and monitoring for upload activities. Within 7 days: Implement file upload restrictions at the WAF/load balancer level to block executable file types; restrict API Control Plane access to trusted networks only using network segmentation. Within 30 days: Plan and execute upgrade to version 4.5.1 or later once vendor patch is released; conduct forensic review of upload logs for signs of exploitation.

Api Manager CVE-2025-13590

CRITICAL

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-02-19 ed10eef1-636d-4fbe-9993-6890dfa878f8

GHSA-p6jf-79j3-33f3

RCE Api Manager Universal Gateway Traffic Manager Api Control Plane

9.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

CVE Published

Feb 19, 2026 - 10:16 nvd

CRITICAL 9.1

DescriptionCVE.org

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

AnalysisAI

Arbitrary file upload by admin users in VMware product via REST API. Allows uploading to user-controlled locations within the deployment.

Technical ContextAI

CWE-434 in system REST API. Admin users can specify upload destination.

RemediationAI

Apply vendor patch. Restrict upload paths.

CVE-2025-13590 vulnerability details – vuln.today

Back

Api Manager CVE-2025-13590

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code