Skip to main content

Ericsson

36 CVEs vendor

Monthly

CVE-2025-59174 HIGH PATCH This Week

Denial-of-service in Ericsson Packet Core Controller (PCC) versions prior to 1.39 allows an adjacent-network attacker without credentials to degrade service by flooding the controller with specially crafted messages. The CVSS 4.0 score of 7.1 reflects high availability impact with no confidentiality or integrity loss; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Ericsson Information Disclosure
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-25659 HIGH PATCH This Week

Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows an adjacent-network attacker to degrade telecom packet core service by continuously sending a specially crafted message that triggers improper handling of missing values (CWE-230). The condition persists only while the attack is sustained - the system self-recovers once traffic stops - and no public exploit identified at time of analysis, but the CVSS 4.0 score of 7.1 reflects high availability impact on a carrier-grade network function.

Ericsson Denial Of Service
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-25658 HIGH PATCH This Week

Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows adjacent network attackers to degrade service availability by continuously transmitting specially crafted messages that trigger improper handling of missing values (CWE-230). The affected PCG nodes crash repeatedly under sustained attack but self-recover once traffic stops, so impact is transient yet operationally significant for mobile core networks. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Ericsson Denial Of Service
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-25657 HIGH PATCH This Week

Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows an adjacent-network attacker to degrade service by continuously transmitting malformed messages that the gateway fails to parse safely. The condition causes recurring crashes that persist only while the attack is active, with automatic recovery once it stops, and no public exploit identified at time of analysis.

Ericsson Denial Of Service
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2024-53828 MEDIUM PATCH This Month

Ericsson Packet Core Controller (PCC) versions prior to 1.38 contain a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required.

Information Disclosure Ericsson
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-40842 HIGH PATCH This Week

A Cross-Site Scripting (XSS) vulnerability exists in Ericsson Indoor Connect 8855 versions prior to 2025.Q3, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). An attacker can inject malicious scripts into the web interface, potentially leading to unauthorized disclosure and modification of sensitive information. No CVSS score, EPSS data, or KEV status is currently available, and no public proof-of-concept has been disclosed, though the vulnerability has been formally documented by Ericsson's Product Security Incident Response Team (PSIRT).

Ericsson XSS
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-40841 MEDIUM PATCH This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in Ericsson Indoor Connect 8855 prior to version 2025.Q3 that allows attackers to perform unauthorized modification of certain information by tricking authenticated users into executing malicious requests. The vulnerability affects the Ericsson Indoor Connect 8855 product line and can be exploited to compromise the integrity of system data without explicit user awareness. No active exploitation in the wild (KEV status) or public proof-of-concept has been confirmed at this time, though the attack vector is typically network-based with low to medium complexity.

Ericsson CSRF
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-27260 HIGH PATCH This Week

Ericsson Indoor Connect 8855 prior to version 2025.Q3 contains an Improper Filtering of Special Elements vulnerability (CWE-790) that allows attackers to bypass input validation controls and achieve unauthorized modification of sensitive information. This vulnerability affects all versions of the Indoor Connect 8855 product line below the 2025.Q3 release. No CVSS score, CVSS vector, EPSS data, or active exploitation status is currently available in public sources, limiting quantitative risk assessment, though the CWE-790 classification suggests the vulnerability involves inadequate sanitization of special characters or metacharacters in user input.

Ericsson Authentication Bypass
NVD VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2025-40838 MEDIUM This Month

Ericsson Indoor Connect 8855 contains a vulnerability where server-side security can be bypassed in the client which if exploited can lead to unauthorized disclosure of certain information. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Ericsson
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-40837 HIGH This Week

Ericsson Indoor Connect 8855 contains a missing authorization vulnerability which if exploited can allow access to the system as a user with higher privileges than intended. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Ericsson Indoor Connect 8855 Firmware
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-40836 HIGH This Month

Ericsson Indoor Connect 8855 contains an improper input validation vulnerability which if exploited can allow an attacker to execute commands with escalated privileges. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Ericsson Indoor Connect 8855 Firmware
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-27262 HIGH This Month

Ericsson Indoor Connect 8855 contains a command injection vulnerability which if exploited can result in an escalation of privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Ericsson Indoor Connect 8855 Firmware
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-27261 HIGH This Week

Ericsson Indoor Connect 8855 contains an SQL injection vulnerability which if exploited can result in unauthorized disclosure or modification of data. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Ericsson SQLi Indoor Connect 8855 Firmware
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2024-25011 MEDIUM This Month

Ericsson Catalog Manager and Ericsson Order Care APIs do not have authentication enabled by default. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ericsson Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-25010 HIGH This Month

Ericsson RAN Compute and Site Controller 6610 contains in certain configurations a high severity vulnerability where improper input validation could be exploited leading to arbitrary code execution. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Ericsson
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-53827 HIGH This Month

Ericsson Packet Core Controller (PCC) contains a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ericsson
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-25009 MEDIUM This Month

Ericsson Packet Core Controller (PCC) contains a vulnerability in Access and Mobility Management Function (AMF) where improper input validation can lead to denial of service which may result in. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Ericsson Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-25008 MEDIUM This Month

Ericsson RAN Compute and Site Controller 6610 contains a vulnerability in the Control System where Improper Input Validation can lead to arbitrary code execution, for example to obtain a Linux Shell. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Ericsson RCE
NVD
CVSS 3.1
6.8
EPSS
0.3%
CVE-2024-25007 HIGH This Week

Ericsson Network Manager (ENM), versions prior to 23.1, contains a vulnerability in the export function of application log where Improper Neutralization of Formula Elements in a CSV File can lead to. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Ericsson RCE Information Disclosure Network Manager
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2023-39909 HIGH This Week

Ericsson Network Manager before 23.2 mishandles Access Control and thus unauthenticated low-privilege users can access the NCM application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Ericsson Network Manager
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2021-43339 HIGH POC This Week

In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file_name in the export functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ericsson Command Injection Network Location
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
9.6%
CVE-2021-32571 MEDIUM This Month

In OSS-RC systems of the release 18B and older during data migration procedures certain files containing usernames and passwords are left in the system undeleted but in folders accessible by top. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Ericsson Information Disclosure Operations Support System Radio And Core Firmware
NVD
CVSS 3.1
4.9
EPSS
0.8%
CVE-2021-32569 MEDIUM This Month

In OSS-RC systems of the release 18B and older customer documentation browsing libraries under ALEX are subject to Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ericsson XSS Operations Support System Radio And Core Firmware
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-41391 MEDIUM POC This Month

In Ericsson ECM before 18.0, it was observed that Security Management Endpoint in User Profile Management Section is vulnerable to stored XSS via a name, leading to session hijacking and full account. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ericsson XSS Enterprise Content Management
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-41390 HIGH POC This Week

In Ericsson ECM before 18.0, it was observed that Security Provider Endpoint in the User Profile Management Section is vulnerable to CSV Injection. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ericsson Code Injection Enterprise Content Management
NVD
CVSS 3.1
8.0
EPSS
1.1%
CVE-2020-29145 MEDIUM POC This Month

In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ericsson Bscs Ix R18 Billing Rating Admx Bscs Ix R18 Billing Rating Mx
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2020-29144 MEDIUM POC This Month

In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ericsson Bscs Ix R18 Billing Rating Admx Bscs Ix R18 Billing Rating Mx
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2020-22158 MEDIUM This Month

MediaKind (formerly Ericsson) RX8200 5.13.3 devices are vulnerable to multiple reflected and stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Ericsson Rx8200 Firmware
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2019-7417 MEDIUM POC This Month

XSS exists in Ericsson Active Library Explorer (ALEX) 14.3 in multiple parameters in the "/cgi-bin/alexserv" servlet, as demonstrated by the DB, FN, fn, or id parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ericsson Active Library Explorer
NVD
CVSS 3.0
6.1
EPSS
1.5%
CVE-2018-15138 HIGH POC THREAT This Week

Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ericsson Path Traversal Ipecs Nms
NVD Exploit-DB
CVSS 3.0
7.5
EPSS
12.9%
CVE-2018-9245 CRITICAL POC Act Now

The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that allows users to bypass the login page and execute remote code on the operating. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Ericsson Ipecs Nms
NVD GitHub Exploit-DB
CVSS 3.0
9.8
EPSS
4.1%
CVE-2018-10286 HIGH POC This Week

The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive information such as the NMS admin credentials and the PostgreSQL database credentials to logged-in users via the responses to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ericsson Information Disclosure PostgreSQL Ipecs Nms
NVD GitHub Exploit-DB
CVSS 3.0
8.8
EPSS
6.6%
CVE-2018-10285 CRITICAL POC THREAT Act Now

The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Ericsson Ipecs Nms
NVD GitHub Exploit-DB
CVSS 3.0
9.8
EPSS
13.2%
CVE-2015-2167 MEDIUM POC This Month

Open redirect vulnerability in the 3PI Manager in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to redirect users to arbitrary web sites and conduct. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Ericsson Open Redirect Drutt Mobile Service Delivery Platform
NVD
CVSS 2.0
5.8
EPSS
0.2%
CVE-2015-2166 MEDIUM POC THREAT This Month

Directory traversal vulnerability in the Instance Monitor in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f (dot dot. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 73.6%.

Path Traversal Ericsson Drutt Mobile Service Delivery Platform
NVD Exploit-DB
CVSS 2.0
5.0
EPSS
73.6%
Threat
4.7
CVE-2015-2165 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in the Report Viewer in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4.x, 5.x, and 6.x allow remote attackers to inject arbitrary web. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Ericsson Drutt Mobile Service Delivery Platform
NVD
CVSS 2.0
4.3
EPSS
0.3%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial-of-service in Ericsson Packet Core Controller (PCC) versions prior to 1.39 allows an adjacent-network attacker without credentials to degrade service by flooding the controller with specially crafted messages. The CVSS 4.0 score of 7.1 reflects high availability impact with no confidentiality or integrity loss; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Ericsson Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows an adjacent-network attacker to degrade telecom packet core service by continuously sending a specially crafted message that triggers improper handling of missing values (CWE-230). The condition persists only while the attack is sustained - the system self-recovers once traffic stops - and no public exploit identified at time of analysis, but the CVSS 4.0 score of 7.1 reflects high availability impact on a carrier-grade network function.

Ericsson Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows adjacent network attackers to degrade service availability by continuously transmitting specially crafted messages that trigger improper handling of missing values (CWE-230). The affected PCG nodes crash repeatedly under sustained attack but self-recover once traffic stops, so impact is transient yet operationally significant for mobile core networks. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Ericsson Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows an adjacent-network attacker to degrade service by continuously transmitting malformed messages that the gateway fails to parse safely. The condition causes recurring crashes that persist only while the attack is active, with automatic recovery once it stops, and no public exploit identified at time of analysis.

Ericsson Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Ericsson Packet Core Controller (PCC) versions prior to 1.38 contain a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required.

Information Disclosure Ericsson
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

A Cross-Site Scripting (XSS) vulnerability exists in Ericsson Indoor Connect 8855 versions prior to 2025.Q3, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). An attacker can inject malicious scripts into the web interface, potentially leading to unauthorized disclosure and modification of sensitive information. No CVSS score, EPSS data, or KEV status is currently available, and no public proof-of-concept has been disclosed, though the vulnerability has been formally documented by Ericsson's Product Security Incident Response Team (PSIRT).

Ericsson XSS
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in Ericsson Indoor Connect 8855 prior to version 2025.Q3 that allows attackers to perform unauthorized modification of certain information by tricking authenticated users into executing malicious requests. The vulnerability affects the Ericsson Indoor Connect 8855 product line and can be exploited to compromise the integrity of system data without explicit user awareness. No active exploitation in the wild (KEV status) or public proof-of-concept has been confirmed at this time, though the attack vector is typically network-based with low to medium complexity.

Ericsson CSRF
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Ericsson Indoor Connect 8855 prior to version 2025.Q3 contains an Improper Filtering of Special Elements vulnerability (CWE-790) that allows attackers to bypass input validation controls and achieve unauthorized modification of sensitive information. This vulnerability affects all versions of the Indoor Connect 8855 product line below the 2025.Q3 release. No CVSS score, CVSS vector, EPSS data, or active exploitation status is currently available in public sources, limiting quantitative risk assessment, though the CWE-790 classification suggests the vulnerability involves inadequate sanitization of special characters or metacharacters in user input.

Ericsson Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Ericsson Indoor Connect 8855 contains a vulnerability where server-side security can be bypassed in the client which if exploited can lead to unauthorized disclosure of certain information. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Ericsson
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Ericsson Indoor Connect 8855 contains a missing authorization vulnerability which if exploited can allow access to the system as a user with higher privileges than intended. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Ericsson Indoor Connect 8855 Firmware
NVD
EPSS 0% CVSS 8.7
HIGH This Month

Ericsson Indoor Connect 8855 contains an improper input validation vulnerability which if exploited can allow an attacker to execute commands with escalated privileges. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Ericsson Indoor Connect 8855 Firmware
NVD
EPSS 0% CVSS 8.5
HIGH This Month

Ericsson Indoor Connect 8855 contains a command injection vulnerability which if exploited can result in an escalation of privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Ericsson Indoor Connect 8855 Firmware
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Ericsson Indoor Connect 8855 contains an SQL injection vulnerability which if exploited can result in unauthorized disclosure or modification of data. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Ericsson SQLi Indoor Connect 8855 Firmware
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Ericsson Catalog Manager and Ericsson Order Care APIs do not have authentication enabled by default. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ericsson Information Disclosure
NVD
EPSS 0% CVSS 8.8
HIGH This Month

Ericsson RAN Compute and Site Controller 6610 contains in certain configurations a high severity vulnerability where improper input validation could be exploited leading to arbitrary code execution. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Ericsson
NVD
EPSS 0% CVSS 7.5
HIGH This Month

Ericsson Packet Core Controller (PCC) contains a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ericsson
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Ericsson Packet Core Controller (PCC) contains a vulnerability in Access and Mobility Management Function (AMF) where improper input validation can lead to denial of service which may result in. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Ericsson Denial Of Service
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Ericsson RAN Compute and Site Controller 6610 contains a vulnerability in the Control System where Improper Input Validation can lead to arbitrary code execution, for example to obtain a Linux Shell. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Ericsson RCE
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Ericsson Network Manager (ENM), versions prior to 23.1, contains a vulnerability in the export function of application log where Improper Neutralization of Formula Elements in a CSV File can lead to. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Ericsson RCE Information Disclosure +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Ericsson Network Manager before 23.2 mishandles Access Control and thus unauthenticated low-privilege users can access the NCM application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Ericsson Network Manager
NVD
EPSS 10% CVSS 8.8
HIGH POC This Week

In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file_name in the export functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ericsson Command Injection Network Location
NVD Exploit-DB
EPSS 1% CVSS 4.9
MEDIUM This Month

In OSS-RC systems of the release 18B and older during data migration procedures certain files containing usernames and passwords are left in the system undeleted but in folders accessible by top. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Ericsson Information Disclosure Operations Support System Radio And Core Firmware
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

In OSS-RC systems of the release 18B and older customer documentation browsing libraries under ALEX are subject to Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ericsson XSS Operations Support System Radio And Core Firmware
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

In Ericsson ECM before 18.0, it was observed that Security Management Endpoint in User Profile Management Section is vulnerable to stored XSS via a name, leading to session hijacking and full account. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ericsson XSS Enterprise Content Management
NVD
EPSS 1% CVSS 8.0
HIGH POC This Week

In Ericsson ECM before 18.0, it was observed that Security Provider Endpoint in the User Profile Management Section is vulnerable to CSV Injection. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ericsson Code Injection Enterprise Content Management
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ericsson Bscs Ix R18 Billing Rating Admx +1
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ericsson Bscs Ix R18 Billing Rating Admx +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

MediaKind (formerly Ericsson) RX8200 5.13.3 devices are vulnerable to multiple reflected and stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Ericsson Rx8200 Firmware
NVD
EPSS 2% CVSS 6.1
MEDIUM POC This Month

XSS exists in Ericsson Active Library Explorer (ALEX) 14.3 in multiple parameters in the "/cgi-bin/alexserv" servlet, as demonstrated by the DB, FN, fn, or id parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ericsson Active Library Explorer
NVD
EPSS 13% CVSS 7.5
HIGH POC THREAT This Week

Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ericsson Path Traversal Ipecs Nms
NVD Exploit-DB
EPSS 4% CVSS 9.8
CRITICAL POC Act Now

The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that allows users to bypass the login page and execute remote code on the operating. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Ericsson Ipecs Nms
NVD GitHub Exploit-DB
EPSS 7% CVSS 8.8
HIGH POC This Week

The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive information such as the NMS admin credentials and the PostgreSQL database credentials to logged-in users via the responses to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ericsson Information Disclosure PostgreSQL +1
NVD GitHub Exploit-DB
EPSS 13% CVSS 9.8
CRITICAL POC THREAT Act Now

The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Ericsson Ipecs Nms
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.8
MEDIUM POC This Month

Open redirect vulnerability in the 3PI Manager in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to redirect users to arbitrary web sites and conduct. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Ericsson Open Redirect Drutt Mobile Service Delivery Platform
NVD
EPSS 74% 4.7 CVSS 5.0
MEDIUM POC THREAT This Month

Directory traversal vulnerability in the Instance Monitor in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f (dot dot. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 73.6%.

Path Traversal Ericsson Drutt Mobile Service Delivery Platform
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in the Report Viewer in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4.x, 5.x, and 6.x allow remote attackers to inject arbitrary web. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Ericsson Drutt Mobile Service Delivery Platform
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy