Skip to main content

Nokia MantaRay NM EUVDEUVD-2025-210369

| CVE-2025-24815 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-30 Nokia GHSA-2wj6-jgr2-x79w
7.8
CVSS 3.1 · Vendor: Nokia
Share

Severity by source

Vendor (Nokia) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Requires an authenticated low-privilege account (PR:L) and local/management-plane access (AV:L); successful upload yields code execution with full High impact to C/I/A.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Nokia).

CVSS VectorVendor: Nokia

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 30, 2026 - 14:22 vuln.today
CVSS changed
Jun 30, 2026 - 14:22 NVD
7.8 (HIGH)
Patch available
Jun 30, 2026 - 11:01 EUVD
CVE Published
Jun 30, 2026 - 08:55 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Nokia MantaRay NM is subject to an unrestricted file upload vulnerability due to insufficient file type validation. Successful exploitation could allow an authenticated attacker to upload malicious files onto the system.

AnalysisAI

Arbitrary file upload in Nokia MantaRay NM (network management) prior to 25R2-NM allows an authenticated, low-privileged attacker to bypass insufficient file-type validation and place malicious files on the host, leading to full compromise of confidentiality, integrity, and availability (CVSS 7.8). The flaw is a CWE-434 unrestricted upload; the CVSS vector specifies a local attack vector (AV:L) rather than remote network exploitation. No public exploit identified at time of analysis, and the EPSS score is very low (0.18%, 7th percentile).

Technical ContextAI

Nokia MantaRay NM is Nokia's converged network management platform used by carriers and large enterprises to operate and monitor mobile/transport network elements. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type): an upload handler validates file type insufficiently - typically trusting client-supplied content-type or extension rather than verifying actual content - so an attacker can submit executable or otherwise dangerous file types. The single affected CPE is cpe:2.3:a:nokia:mantaray_nm:*:*:*:*:*:*:*:*, indicating the application itself (all versions below the fixed release) rather than a specific embedded library.

RemediationAI

Upgrade to Nokia MantaRay NM 25R2-NM or later, the first release that contains the fix per the EUVD affected-version data (Patch available per vendor advisory); confirm the exact patched build against the Nokia product security advisory at https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24815/. Until the upgrade is applied, reduce risk by tightening account access - limit and audit the low-privilege accounts that can reach upload functionality, since exploitation requires authenticated (PR:L) and local (AV:L) access; restrict network/management-plane access to the MantaRay NM host to trusted operators only; and monitor the upload directories and web/application roots for unexpected executable or script files. The trade-off of restricting upload-capable accounts is reduced operational flexibility for legitimate users, so scope changes to non-essential roles first.

Share

EUVD-2025-210369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy