EUVD-2025-209263

| CVE-2025-24817 HIGH
2026-04-07 Nokia GHSA-gfh5-8jx4-qc72
8.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 15:30 euvd
EUVD-2025-209263
Analysis Generated
Apr 07, 2026 - 15:30 vuln.today
CVE Published
Apr 07, 2026 - 15:09 nvd
HIGH 8.0

Tags

Command Injection Nokia

Description

Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Symptom Collector application.

Analysis

OS command injection in Nokia MantaRay NM Symptom Collector application allows authenticated adjacent network attackers to execute arbitrary OS commands with high confidentiality, integrity, and availability impact. The vulnerability affects all versions prior to 25R1-NM and requires low-privilege authenticated access over adjacent network with low attack complexity. No public exploit identified at time of analysis, with EPSS exploitation probability at 0.06% (19th percentile), indicating relatively low observed real-world exploitation likelihood despite the high CVSS score.

Technical Context

This vulnerability (CWE-78: OS Command Injection) affects the Symptom Collector application component within Nokia MantaRay Network Management (NM) platform. Command injection vulnerabilities occur when an application passes unsanitized user input directly to system shell commands, allowing attackers to inject malicious commands using special characters like semicolons, pipes, or backticks. The affected product (cpe:2.3:a:nokia:mantaray_nm) is Nokia's network management solution used for telecom infrastructure monitoring and configuration. The improper neutralization of special elements means the application fails to validate or sanitize input parameters before incorporating them into OS-level command execution, creating a direct pathway from user input to system shell execution.

Affected Products

Nokia MantaRay NM network management platform versions earlier than 25R1-NM are affected by this command injection vulnerability. The CPE identifier cpe:2.3:a:nokia:mantaray_nm confirms the product scope. According to Nokia's product security advisory at https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24817/, all versions prior to the 25R1-NM release contain the vulnerable Symptom Collector application component. Organizations running any MantaRay NM deployment should verify their current version against the 25R1-NM baseline to determine exposure.

Remediation

Vendor-released patch: Nokia MantaRay NM version 25R1-NM. Organizations should immediately upgrade all MantaRay NM installations to version 25R1-NM or later to remediate this command injection vulnerability. The complete remediation guidance and patch distribution information is available in Nokia's official product security advisory at https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24817/. As an interim compensating control before patching, organizations should restrict network access to the MantaRay NM management interface to only essential administrative networks using network segmentation, firewall rules, or VPN requirements. Review and minimize the number of accounts with access to the Symptom Collector application functionality, and implement enhanced logging and monitoring for suspicious command execution activity on MantaRay NM systems until patching is complete.

Priority Score

40
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +40
POC: 0

Share

EUVD-2025-209263 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy