Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Requires an authenticated low-privilege account (PR:L) and local/management-plane access (AV:L); successful upload yields code execution with full High impact to C/I/A.
Primary rating from Vendor (Nokia).
CVSS VectorVendor: Nokia
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Nokia MantaRay NM is subject to an unrestricted file upload vulnerability due to insufficient file type validation. Successful exploitation could allow an authenticated attacker to upload malicious files onto the system.
AnalysisAI
Arbitrary file upload in Nokia MantaRay NM (network management) prior to 25R2-NM allows an authenticated, low-privileged attacker to bypass insufficient file-type validation and place malicious files on the host, leading to full compromise of confidentiality, integrity, and availability (CVSS 7.8). The flaw is a CWE-434 unrestricted upload; the CVSS vector specifies a local attack vector (AV:L) rather than remote network exploitation. No public exploit identified at time of analysis, and the EPSS score is very low (0.18%, 7th percentile).
Technical ContextAI
Nokia MantaRay NM is Nokia's converged network management platform used by carriers and large enterprises to operate and monitor mobile/transport network elements. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type): an upload handler validates file type insufficiently - typically trusting client-supplied content-type or extension rather than verifying actual content - so an attacker can submit executable or otherwise dangerous file types. The single affected CPE is cpe:2.3:a:nokia:mantaray_nm:*:*:*:*:*:*:*:*, indicating the application itself (all versions below the fixed release) rather than a specific embedded library.
RemediationAI
Upgrade to Nokia MantaRay NM 25R2-NM or later, the first release that contains the fix per the EUVD affected-version data (Patch available per vendor advisory); confirm the exact patched build against the Nokia product security advisory at https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24815/. Until the upgrade is applied, reduce risk by tightening account access - limit and audit the low-privilege accounts that can reach upload functionality, since exploitation requires authenticated (PR:L) and local (AV:L) access; restrict network/management-plane access to the MantaRay NM host to trusted operators only; and monitor the upload directories and web/application roots for unexpected executable or script files. The trade-off of restricting upload-capable accounts is reduced operational flexibility for legitimate users, so scope changes to non-essential roles first.
More in Mantaray Nm
View allLocal privilege escalation in Nokia MantaRay NM (network management) lets an attacker who already holds local administra
Insufficient authorization enforcement in the Nokia MantaRay NM API allows authenticated low-privilege users to retrieve
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210369
GHSA-2wj6-jgr2-x79w