CVE-2025-24819

| EUVD-2025-209265 MEDIUM
2026-04-07 Nokia GHSA-hr6r-6h98-gh58
5.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 15:30 euvd
EUVD-2025-209265
Analysis Generated
Apr 07, 2026 - 15:30 vuln.today
CVE Published
Apr 07, 2026 - 15:14 nvd
MEDIUM 5.7

Tags

Nokia Path Traversal

Description

Nokia MantaRay NM is vulnerable to a Relative Path Traversal vulnerability due to improper validation of input parameter on the file system in Software Manager application.

Analysis

Relative path traversal in Nokia MantaRay NM Software Manager allows authenticated local network attackers to read sensitive files on the affected system. The vulnerability stems from improper validation of input parameters in the file system handling code, enabling an attacker with local network access and low privileges to enumerate and access files outside the intended directory structure without modifying or disrupting them. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical Context

The vulnerability is classified as CWE-23 (Relative Path Traversal), a path traversal flaw in which insufficient input validation allows an attacker to construct file paths using relative path components (e.g., '../' sequences) to access files outside the intended base directory. The affected product is Nokia MantaRay NM, a network management application suite. The flaw exists in the Software Manager application component, which handles file operations on the underlying file system. An attacker can craft malicious file path inputs that, when processed without proper canonicalization or validation, resolve to arbitrary locations on the system. The CPE cpe:2.3:a:nokia:mantaray_nm indicates the vulnerability affects all versions of the MantaRay NM product line, with the specific constraint that versions prior to 25R1-NM are vulnerable.

Affected Products

Nokia MantaRay NM all versions prior to 25R1-NM (exclusive) are affected, as indicated by the CPE cpe:2.3:a:nokia:mantaray_nm:*:*:*:*:*:*:*:* with the EUVD constraint specifying MantaRay NM earlier than 25R1-NM. This includes all legacy and current production releases up to but not including the 25R1-NM version. Refer to the Nokia security advisory at https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24819/ for a complete list of affected version numbers and build identifiers.

Remediation

Vendor-released patch: Upgrade to MantaRay NM 25R1-NM or later. This version incorporates input validation and path canonicalization fixes to prevent relative path traversal attacks in the Software Manager application. Organizations unable to upgrade immediately should restrict network access to the MantaRay NM Software Manager component using firewall rules and network segmentation to limit exposure to trusted management networks only, and audit file access logs for suspicious traversal attempts. For additional guidance and to confirm patch applicability for your specific deployment, consult the Nokia security advisory at https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24819/.

Priority Score

29
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Share

CVE-2025-24819 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy