How to fix CVE-2025-13590?

Within 24 hours: Identify all Api Control Plane instances running version 4.5.0 or earlier and isolate them from production networks if possible; enable enhanced logging and monitoring for upload activities. Within 7 days: Implement file upload restrictions at the WAF/load balancer level to block executable file types; restrict API Control Plane access to trusted networks only using network segmentation. Within 30 days: Plan and execute upgrade to version 4.5.1 or later once vendor patch is released; conduct forensic review of upload logs for signs of exploitation.

Is Api Manager affected by CVE-2025-13590?

Api Control Plane versions 4.5.0 and below contain a critical vulnerability allowing attackers to upload malicious files, potentially leading to unauthorized code execution and complete system compromise.

CVE-2025-13590

CRITICAL

2026-02-19 ed10eef1-636d-4fbe-9993-6890dfa878f8

GHSA-p6jf-79j3-33f3

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

CVE Published

Feb 19, 2026 - 10:16 nvd

CRITICAL 9.1

Description

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

Analysis

Arbitrary file upload by admin users in VMware product via REST API. Allows uploading to user-controlled locations within the deployment.

Technical Context

CWE-434 in system REST API. Admin users can specify upload destination.

Affected Products

['Affected VMware product']

Remediation

Apply vendor patch. Restrict upload paths.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +46

POC: 0

CVE-2025-13590 vulnerability details – vuln.today

Back

CVE-2025-13590

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-13590

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code