Skip to main content

Nokia CVE-2025-24819

| EUVDEUVD-2025-209265 MEDIUM
Relative Path Traversal (CWE-23)
2026-04-07 Nokia GHSA-hr6r-6h98-gh58
5.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.7 MEDIUM
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 15:30 euvd
EUVD-2025-209265
Analysis Generated
Apr 07, 2026 - 15:30 vuln.today
CVE Published
Apr 07, 2026 - 15:14 nvd
MEDIUM 5.7

DescriptionCVE.org

Nokia MantaRay NM is vulnerable to a Relative Path Traversal vulnerability due to improper validation of input parameter on the file system in Software Manager application.

AnalysisAI

Relative path traversal in Nokia MantaRay NM Software Manager allows authenticated local network attackers to read sensitive files on the affected system. The vulnerability stems from improper validation of input parameters in the file system handling code, enabling an attacker with local network access and low privileges to enumerate and access files outside the intended directory structure without modifying or disrupting them. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

The vulnerability is classified as CWE-23 (Relative Path Traversal), a path traversal flaw in which insufficient input validation allows an attacker to construct file paths using relative path components (e.g., '../' sequences) to access files outside the intended base directory. The affected product is Nokia MantaRay NM, a network management application suite. The flaw exists in the Software Manager application component, which handles file operations on the underlying file system. An attacker can craft malicious file path inputs that, when processed without proper canonicalization or validation, resolve to arbitrary locations on the system. The CPE cpe:2.3:a:nokia:mantaray_nm indicates the vulnerability affects all versions of the MantaRay NM product line, with the specific constraint that versions prior to 25R1-NM are vulnerable.

RemediationAI

Vendor-released patch: Upgrade to MantaRay NM 25R1-NM or later. This version incorporates input validation and path canonicalization fixes to prevent relative path traversal attacks in the Software Manager application. Organizations unable to upgrade immediately should restrict network access to the MantaRay NM Software Manager component using firewall rules and network segmentation to limit exposure to trusted management networks only, and audit file access logs for suspicious traversal attempts. For additional guidance and to confirm patch applicability for your specific deployment, consult the Nokia security advisory at https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24819/.

More in Nokia

View all
CVE-2012-2619 HIGH POC
7.8 Nov 14

The Broadcom BCM4325 and BCM4329 Wi-Fi chips, as used in certain Acer, Apple, Asus, Ford, HTC, Kyocera, LG, Malata, Moto

CVE-2022-28866 HIGH POC
8.8 Oct 12

Multiple Improper Access Control was discovered in Nokia AirFrame BMC Web GUI < R18 Firmware v4.13.00. Rated high severi

CVE-2021-45896 HIGH POC
8.8 Dec 27

Nokia FastMile 3TG00118ABAD52 devices allow privilege escalation by an authenticated user via is_ctc_admin=1 to login_we

CVE-2019-17403 HIGH POC
8.8 Nov 25

Nokia IMPACT < 18A: An unrestricted File Upload vulnerability was found that may lead to Remote Code Execution. Rated hi

CVE-2022-36222 HIGH POC
8.4 Dec 21

Nokia Fastmile 3tg00118abad52 devices shipped by Optus are shipped with a default hardcoded admin account of admin:Nq+L5

CVE-2023-41376 HIGH POC
7.5 Aug 29

Nokia Service Router Operating System (SR OS) 22.10 and SR Linux, when error-handling update-fault-tolerance is not enab

CVE-2012-2442 MEDIUM POC
4.3 Jul 25

Buffer overflow in the Video Manager in Nokia PC Suite 7.1.180.64 and earlier allows remote attackers to cause a denial

CVE-2019-7386 MEDIUM POC
6.5 Mar 21

A Denial of Service issue has been discovered in the Gecko component of KaiOS 2.5 10.05 (platform 48.0.a2) on Nokia 8810

CVE-2023-25187 HIGH POC
7.0 Jun 16

An issue was discovered on NOKIA Airscale ASIKA Single RAN devices before 21B. Rated high severity (CVSS 7.0). Public ex

CVE-2014-6602 MEDIUM POC
6.6 Sep 22

Microsoft Asha OS on the Microsoft Mobile Nokia Asha 501 phone 14.0.4 allows physically proximate attackers to bypass th

CVE-2022-45899 MEDIUM POC
6.5 May 08

Nokia Broadcast Message Center (BMC) before 13.1 allows an unauthenticated remote attacker to do OS command injection as

CVE-2022-36221 MEDIUM POC
6.5 Dec 21

Nokia Fastmile 3tg00118abad52 is affected by an authenticated path traversal vulnerability which allows attackers to rea

Share

CVE-2025-24819 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy