EUVD-2025-209264
GHSA-gc74-chmx-fghj
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Log Search application.
Analysis
OS command injection in Nokia MantaRay NM Log Search application allows authenticated adjacent network attackers to execute arbitrary OS commands with high impact to confidentiality, integrity, and availability. The vulnerability affects versions prior to 25R1-NM due to improper neutralization of special elements in OS commands (CWE-77). CVSS score of 8.0 reflects high severity with low attack complexity requiring low-level authentication from adjacent network position. No public exploit identified at time of analysis, though command injection vulnerabilities are well-understood and relatively straightforward to exploit once access requirements are met.
Technical Context
This vulnerability stems from CWE-77 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS command injection. The flaw exists in the Log Search application component of Nokia MantaRay NM, a network management platform. Command injection occurs when user-supplied input is passed to system shell commands without proper sanitization, allowing attackers to inject shell metacharacters or command separators to execute arbitrary commands. The CPE identifier cpe:2.3:a:nokia:mantaray_nm indicates this affects the MantaRay NM application software. The adjacent network attack vector (AV:A) suggests the vulnerable interface is accessible from the same network segment but not directly from the internet, typical of management interfaces in enterprise network management systems. Low privileges required (PR:L) indicates a standard authenticated user account is sufficient for exploitation, without requiring administrative credentials.
Affected Products
Nokia MantaRay NM versions earlier than 25R1-NM are affected by this command injection vulnerability, as confirmed by ENISA EUVD-2025-209264. The vulnerability specifically impacts the Log Search application component within the MantaRay NM network management platform. Organizations should inventory all MantaRay NM deployments and verify version numbers against the 25R1-NM release threshold. Complete product identification follows CPE specification cpe:2.3:a:nokia:mantaray_nm for vulnerable versions. Detailed product security information is available in Nokia's official advisory at https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24818/.
Remediation
Vendor-released patch: Organizations should immediately upgrade Nokia MantaRay NM to version 25R1-NM or later, which addresses the OS command injection vulnerability in the Log Search application. The upgrade should be prioritized for production deployments, particularly those where MantaRay NM is accessible from broader network segments or where multiple users have authenticated access. As interim risk mitigation while planning upgrades, organizations should restrict network access to MantaRay NM management interfaces using firewall rules or network segmentation, limit user account privileges to only those requiring Log Search functionality, and implement enhanced monitoring for suspicious command execution patterns in MantaRay NM logs. Complete remediation guidance and patch download information are available in Nokia's product security advisory at https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24818/ and additional technical details at https://nvd.nist.gov/vuln/detail/CVE-2025-24818.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today