Severity by source
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Nokia MantaRay NM is vulnerable to a Relative Path Traversal vulnerability due to improper validation of input parameter on the file system in Software Manager application.
AnalysisAI
Relative path traversal in Nokia MantaRay NM Software Manager allows authenticated local network attackers to read sensitive files on the affected system. The vulnerability stems from improper validation of input parameters in the file system handling code, enabling an attacker with local network access and low privileges to enumerate and access files outside the intended directory structure without modifying or disrupting them. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
The vulnerability is classified as CWE-23 (Relative Path Traversal), a path traversal flaw in which insufficient input validation allows an attacker to construct file paths using relative path components (e.g., '../' sequences) to access files outside the intended base directory. The affected product is Nokia MantaRay NM, a network management application suite. The flaw exists in the Software Manager application component, which handles file operations on the underlying file system. An attacker can craft malicious file path inputs that, when processed without proper canonicalization or validation, resolve to arbitrary locations on the system. The CPE cpe:2.3:a:nokia:mantaray_nm indicates the vulnerability affects all versions of the MantaRay NM product line, with the specific constraint that versions prior to 25R1-NM are vulnerable.
RemediationAI
Vendor-released patch: Upgrade to MantaRay NM 25R1-NM or later. This version incorporates input validation and path canonicalization fixes to prevent relative path traversal attacks in the Software Manager application. Organizations unable to upgrade immediately should restrict network access to the MantaRay NM Software Manager component using firewall rules and network segmentation to limit exposure to trusted management networks only, and audit file access logs for suspicious traversal attempts. For additional guidance and to confirm patch applicability for your specific deployment, consult the Nokia security advisory at https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24819/.
The Broadcom BCM4325 and BCM4329 Wi-Fi chips, as used in certain Acer, Apple, Asus, Ford, HTC, Kyocera, LG, Malata, Moto
Multiple Improper Access Control was discovered in Nokia AirFrame BMC Web GUI < R18 Firmware v4.13.00. Rated high severi
Nokia FastMile 3TG00118ABAD52 devices allow privilege escalation by an authenticated user via is_ctc_admin=1 to login_we
Nokia IMPACT < 18A: An unrestricted File Upload vulnerability was found that may lead to Remote Code Execution. Rated hi
Nokia Fastmile 3tg00118abad52 devices shipped by Optus are shipped with a default hardcoded admin account of admin:Nq+L5
Nokia Service Router Operating System (SR OS) 22.10 and SR Linux, when error-handling update-fault-tolerance is not enab
Buffer overflow in the Video Manager in Nokia PC Suite 7.1.180.64 and earlier allows remote attackers to cause a denial
A Denial of Service issue has been discovered in the Gecko component of KaiOS 2.5 10.05 (platform 48.0.a2) on Nokia 8810
An issue was discovered on NOKIA Airscale ASIKA Single RAN devices before 21B. Rated high severity (CVSS 7.0). Public ex
Microsoft Asha OS on the Microsoft Mobile Nokia Asha 501 phone 14.0.4 allows physically proximate attackers to bypass th
Nokia Broadcast Message Center (BMC) before 13.1 allows an unauthenticated remote attacker to do OS command injection as
Nokia Fastmile 3tg00118abad52 is affected by an authenticated path traversal vulnerability which allows attackers to rea
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209265
GHSA-hr6r-6h98-gh58