Skip to main content

Nokia CVE-2025-24818

| EUVDEUVD-2025-209264 HIGH
Command Injection (CWE-77)
2026-04-07 Nokia GHSA-gc74-chmx-fghj
8.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 22, 2026 - 19:07 vuln.today
cvss_changed
EUVD ID Assigned
Apr 07, 2026 - 15:30 euvd
EUVD-2025-209264
Analysis Generated
Apr 07, 2026 - 15:30 vuln.today
CVE Published
Apr 07, 2026 - 15:13 nvd
HIGH 8.0

DescriptionCVE.org

Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Log Search application.

AnalysisAI

OS command injection in Nokia MantaRay NM Log Search application allows authenticated adjacent network attackers to execute arbitrary OS commands with high impact to confidentiality, integrity, and availability. The vulnerability affects versions prior to 25R1-NM due to improper neutralization of special elements in OS commands (CWE-77). CVSS score of 8.0 reflects high severity with low attack complexity requiring low-level authentication from adjacent network position. No public exploit identified at time of analysis, though command injection vulnerabilities are well-understood and relatively straightforward to exploit once access requirements are met.

Technical ContextAI

This vulnerability stems from CWE-77 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS command injection. The flaw exists in the Log Search application component of Nokia MantaRay NM, a network management platform. Command injection occurs when user-supplied input is passed to system shell commands without proper sanitization, allowing attackers to inject shell metacharacters or command separators to execute arbitrary commands. The CPE identifier cpe:2.3:a:nokia:mantaray_nm indicates this affects the MantaRay NM application software. The adjacent network attack vector (AV:A) suggests the vulnerable interface is accessible from the same network segment but not directly from the internet, typical of management interfaces in enterprise network management systems. Low privileges required (PR:L) indicates a standard authenticated user account is sufficient for exploitation, without requiring administrative credentials.

RemediationAI

Vendor-released patch: Organizations should immediately upgrade Nokia MantaRay NM to version 25R1-NM or later, which addresses the OS command injection vulnerability in the Log Search application. The upgrade should be prioritized for production deployments, particularly those where MantaRay NM is accessible from broader network segments or where multiple users have authenticated access. As interim risk mitigation while planning upgrades, organizations should restrict network access to MantaRay NM management interfaces using firewall rules or network segmentation, limit user account privileges to only those requiring Log Search functionality, and implement enhanced monitoring for suspicious command execution patterns in MantaRay NM logs. Complete remediation guidance and patch download information are available in Nokia's product security advisory at https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24818/ and additional technical details at https://nvd.nist.gov/vuln/detail/CVE-2025-24818.

More in Nokia

View all
CVE-2012-2619 HIGH POC
7.8 Nov 14

The Broadcom BCM4325 and BCM4329 Wi-Fi chips, as used in certain Acer, Apple, Asus, Ford, HTC, Kyocera, LG, Malata, Moto

CVE-2022-28866 HIGH POC
8.8 Oct 12

Multiple Improper Access Control was discovered in Nokia AirFrame BMC Web GUI < R18 Firmware v4.13.00. Rated high severi

CVE-2021-45896 HIGH POC
8.8 Dec 27

Nokia FastMile 3TG00118ABAD52 devices allow privilege escalation by an authenticated user via is_ctc_admin=1 to login_we

CVE-2019-17403 HIGH POC
8.8 Nov 25

Nokia IMPACT < 18A: An unrestricted File Upload vulnerability was found that may lead to Remote Code Execution. Rated hi

CVE-2022-36222 HIGH POC
8.4 Dec 21

Nokia Fastmile 3tg00118abad52 devices shipped by Optus are shipped with a default hardcoded admin account of admin:Nq+L5

CVE-2023-41376 HIGH POC
7.5 Aug 29

Nokia Service Router Operating System (SR OS) 22.10 and SR Linux, when error-handling update-fault-tolerance is not enab

CVE-2012-2442 MEDIUM POC
4.3 Jul 25

Buffer overflow in the Video Manager in Nokia PC Suite 7.1.180.64 and earlier allows remote attackers to cause a denial

CVE-2019-7386 MEDIUM POC
6.5 Mar 21

A Denial of Service issue has been discovered in the Gecko component of KaiOS 2.5 10.05 (platform 48.0.a2) on Nokia 8810

CVE-2023-25187 HIGH POC
7.0 Jun 16

An issue was discovered on NOKIA Airscale ASIKA Single RAN devices before 21B. Rated high severity (CVSS 7.0). Public ex

CVE-2014-6602 MEDIUM POC
6.6 Sep 22

Microsoft Asha OS on the Microsoft Mobile Nokia Asha 501 phone 14.0.4 allows physically proximate attackers to bypass th

CVE-2022-45899 MEDIUM POC
6.5 May 08

Nokia Broadcast Message Center (BMC) before 13.1 allows an unauthenticated remote attacker to do OS command injection as

CVE-2022-36221 MEDIUM POC
6.5 Dec 21

Nokia Fastmile 3tg00118abad52 is affected by an authenticated path traversal vulnerability which allows attackers to rea

Share

CVE-2025-24818 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy