Skip to main content

Nokia MantaRay NM CVE-2025-24816

| EUVDEUVD-2025-210370 MEDIUM
Improper Access Control (CWE-284)
2026-06-30 Nokia GHSA-rr5r-rhqx-65gr
6.5
CVSS 3.1 · Vendor: Nokia
Share

Severity by source

Vendor (Nokia) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

API reachable over network (AV:N), low complexity, requires authenticated low-privilege account (PR:L); only confidentiality impacted as no write or availability consequence is described.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Nokia).

CVSS VectorVendor: Nokia

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 30, 2026 - 14:24 vuln.today
CVSS changed
Jun 30, 2026 - 14:22 NVD
6.5 (MEDIUM)
Patch available
Jun 30, 2026 - 11:01 EUVD
CVE Published
Jun 30, 2026 - 08:58 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Nokia MantaRay is subject to an Improper Access Control vulnerability due to insufficient authorization within the API. Successful exploitation could allow an authenticated attacker to retrieve confidential information beyond their assigned privileges.

AnalysisAI

Insufficient authorization enforcement in the Nokia MantaRay NM API allows authenticated low-privilege users to retrieve confidential data beyond their assigned role boundaries. Affected are all Nokia MantaRay NM deployments running versions prior to 25R2-NM, a telecom-focused network management platform. No public exploit code or CISA KEV listing has been identified; with EPSS at 0.18% (7th percentile), real-world exploitation pressure is currently low, though the high confidentiality impact and low attack complexity make patching a priority for any operator with untrusted authenticated users.

Technical ContextAI

Nokia MantaRay NM is a network management platform deployed in telecom operator environments, providing centralized management of network elements via an API. The vulnerability is classified as CWE-284 (Improper Access Control), indicating the API layer fails to enforce server-side privilege boundaries on a per-request basis - a pattern consistent with broken object-level authorization (BOLA) or horizontal/vertical privilege escalation via direct API manipulation. The CPE cpe:2.3:a:nokia:mantaray_nm:*:*:*:*:*:*:*:* covers all versions of the product up to the patched release. Because the CVSS vector assigns PR:L (low-privilege authentication required), the authorization flaw is post-authentication: the system correctly validates identity but fails to restrict what resources that identity is permitted to read.

RemediationAI

Upgrade Nokia MantaRay NM to version 25R2-NM or later, as confirmed by ENISA EUVD-2025-210370 and the Nokia vendor advisory at https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24816/. Patch is confirmed available from the vendor. If immediate upgrade is operationally constrained, restrict API access to only explicitly trusted, least-privilege user accounts, and audit existing role assignments to identify any accounts with broader access than their operational role requires. Additionally, limit API endpoint reachability to management-only VLANs or enforce IP allowlisting to reduce the attacker population to known management hosts - this narrows the window of opportunity until the patch is applied, though it does not eliminate the authorization flaw itself.

Share

CVE-2025-24816 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy