Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
API reachable over network (AV:N), low complexity, requires authenticated low-privilege account (PR:L); only confidentiality impacted as no write or availability consequence is described.
Primary rating from Vendor (Nokia).
CVSS VectorVendor: Nokia
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Nokia MantaRay is subject to an Improper Access Control vulnerability due to insufficient authorization within the API. Successful exploitation could allow an authenticated attacker to retrieve confidential information beyond their assigned privileges.
AnalysisAI
Insufficient authorization enforcement in the Nokia MantaRay NM API allows authenticated low-privilege users to retrieve confidential data beyond their assigned role boundaries. Affected are all Nokia MantaRay NM deployments running versions prior to 25R2-NM, a telecom-focused network management platform. No public exploit code or CISA KEV listing has been identified; with EPSS at 0.18% (7th percentile), real-world exploitation pressure is currently low, though the high confidentiality impact and low attack complexity make patching a priority for any operator with untrusted authenticated users.
Technical ContextAI
Nokia MantaRay NM is a network management platform deployed in telecom operator environments, providing centralized management of network elements via an API. The vulnerability is classified as CWE-284 (Improper Access Control), indicating the API layer fails to enforce server-side privilege boundaries on a per-request basis - a pattern consistent with broken object-level authorization (BOLA) or horizontal/vertical privilege escalation via direct API manipulation. The CPE cpe:2.3:a:nokia:mantaray_nm:*:*:*:*:*:*:*:* covers all versions of the product up to the patched release. Because the CVSS vector assigns PR:L (low-privilege authentication required), the authorization flaw is post-authentication: the system correctly validates identity but fails to restrict what resources that identity is permitted to read.
RemediationAI
Upgrade Nokia MantaRay NM to version 25R2-NM or later, as confirmed by ENISA EUVD-2025-210370 and the Nokia vendor advisory at https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24816/. Patch is confirmed available from the vendor. If immediate upgrade is operationally constrained, restrict API access to only explicitly trusted, least-privilege user accounts, and audit existing role assignments to identify any accounts with broader access than their operational role requires. Additionally, limit API endpoint reachability to management-only VLANs or enforce IP allowlisting to reduce the attacker population to known management hosts - this narrows the window of opportunity until the patch is applied, though it does not eliminate the authorization flaw itself.
More in Mantaray Nm
View allArbitrary file upload in Nokia MantaRay NM (network management) prior to 25R2-NM allows an authenticated, low-privileged
Local privilege escalation in Nokia MantaRay NM (network management) lets an attacker who already holds local administra
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210370
GHSA-rr5r-rhqx-65gr