Skip to main content

Nokia SR Linux CVE-2025-9912

| EUVDEUVD-2025-210165 MEDIUM
Improper Privilege Management (CWE-269)
2026-06-16 Nokia GHSA-qpm5-pwpp-hh9x
6.3
CVSS 3.1 · Vendor: Nokia
Share

Severity by source

Vendor (Nokia) PRIMARY
6.3 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
vuln.today AI
7.8 HIGH

PR:L chosen because 'authenticated user' implies standard login, not pre-existing admin; C:H reflects superuser granting full read access to all system data.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Nokia).

CVSS VectorVendor: Nokia

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 13:28 vuln.today
CVSS changed
Jun 16, 2026 - 13:22 NVD
6.3 (MEDIUM)
Patch available
Jun 16, 2026 - 09:01 EUVD
CVE Published
Jun 16, 2026 - 05:58 cve.org
MEDIUM 6.3
CVE Published
Jun 16, 2026 - 05:58 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Nokia SR Linux is vulnerable to a local privilege escalation vulnerability. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privilege.

AnalysisAI

Local privilege escalation in Nokia SR Linux (multiple release branches prior to 23.10.8, 24.10.6, and 25.7.2) allows an authenticated local user to execute arbitrary commands with superuser (root) privilege. Rooted in CWE-269 (Improper Privilege Management), this flaw enables a user who has already obtained a local session on the network OS to break out of their assigned privilege boundary and gain full control of the system. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, Nokia has confirmed a patch and self-reported the issue.

Technical ContextAI

Nokia SR Linux is a modern, container-based network operating system designed for data-center routing and switching hardware. The affected CPE (cpe:2.3:a:nokia:nokia_sr_linux:*:*:*:*:*:*:*:*) spans the entire product line across three concurrent release branches. CWE-269 (Improper Privilege Management) indicates the root cause: the OS fails to correctly enforce privilege separation between an authenticated lower-privileged user context and superuser capabilities - typically manifesting as misconfigured SUID binaries, overly permissive sudo rules, insecure capability assignments, or privilege-dropping failures in a service or CLI subsystem. Because SR Linux uses a microservices and Linux container model underneath, a superuser breakout may also affect container boundaries and underlying host-level processes, amplifying the blast radius beyond what the S:U (Scope Unchanged) CVSS assignment might suggest.

RemediationAI

Nokia has released patches across all three affected branches; operators should upgrade to Nokia SR Linux 23.10.8 or later (LTS branch), 24.10.6 or later (maintenance branch), or 25.7.2 or later (current branch), per the Nokia security advisory at https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-9912/. Until patching is complete, compensating controls should focus on minimizing local account exposure: restrict interactive SSH and console access to SR Linux nodes to the smallest set of named operators using ACL-based source-IP filtering, enforce multi-factor authentication for all management-plane logins where supported, audit and remove unused local user accounts, and monitor for anomalous superuser session activity via syslog or SIEM alerting on privilege-elevation events. Note that restricting local account access limits operational flexibility during maintenance windows and should be balanced against change-management procedures.

Share

CVE-2025-9912 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy