Skip to main content

Nokia

Vendor security scorecard – 9 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 27
9
CVEs
0
Critical
4
High
0
KEV
1
PoC
3
Unpatched C/H
44.4%
Patch Rate
0.2%
Avg EPSS

Severity Breakdown

CRITICAL
0
HIGH
4
MEDIUM
5
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2022-45899 Nokia Broadcast Message Center (BMC) before 13.1 allows an unauthenticated remote attacker to do OS command injection as root via shell metacharacters in the Log Scanner Search Pattern field. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. MEDIUM 6.5 0.9% 53
PoC No patch
CVE-2025-24818 OS command injection in Nokia MantaRay NM Log Search application allows authenticated adjacent network attackers to execute arbitrary OS commands with high impact to confidentiality, integrity, and availability. The vulnerability affects versions prior to 25R1-NM due to improper neutralization of special elements in OS commands (CWE-77). CVSS score of 8.0 reflects high severity with low attack complexity requiring low-level authentication from adjacent network position. No public exploit identified at time of analysis, though command injection vulnerabilities are well-understood and relatively straightforward to exploit once access requirements are met. HIGH 8.0 0.1% 40
No patch
CVE-2025-24817 OS command injection in Nokia MantaRay NM Symptom Collector application allows authenticated adjacent network attackers to execute arbitrary OS commands with high confidentiality, integrity, and availability impact. The vulnerability affects all versions prior to 25R1-NM and requires low-privilege authenticated access over adjacent network with low attack complexity. No public exploit identified at time of analysis, with EPSS exploitation probability at 0.06% (19th percentile), indicating relatively low observed real-world exploitation likelihood despite the high CVSS score. HIGH 8.0 0.1% 40
No patch
CVE-2025-24815 Arbitrary file upload in Nokia MantaRay NM (network management) prior to 25R2-NM allows an authenticated, low-privileged attacker to bypass insufficient file-type validation and place malicious files on the host, leading to full compromise of confidentiality, integrity, and availability (CVSS 7.8). The flaw is a CWE-434 unrestricted upload; the CVSS vector specifies a local attack vector (AV:L) rather than remote network exploitation. No public exploit identified at time of analysis, and the EPSS score is very low (0.18%, 7th percentile). HIGH 7.8 0.2% 39
CVE-2025-7406 Local privilege escalation in Nokia MantaRay NM (network management) lets an attacker who already holds local administrative privileges abuse a misconfigured sudo command set to obtain full root access on the host, gaining complete control of the filesystem and arbitrary root command execution. The flaw was reported by Nokia and affects versions prior to NM 25R1-NM, with no public exploit identified at time of analysis and a low EPSS exploitation probability of 0.17%. HIGH 7.8 0.2% 39
No patch
CVE-2025-24816 Insufficient authorization enforcement in the Nokia MantaRay NM API allows authenticated low-privilege users to retrieve confidential data beyond their assigned role boundaries. Affected are all Nokia MantaRay NM deployments running versions prior to 25R2-NM, a telecom-focused network management platform. No public exploit code or CISA KEV listing has been identified; with EPSS at 0.18% (7th percentile), real-world exploitation pressure is currently low, though the high confidentiality impact and low attack complexity make patching a priority for any operator with untrusted authenticated users. MEDIUM 6.5 0.2% 33
CVE-2025-10262 Local privilege escalation in Nokia SR Linux affects multiple release trains and allows an already-authenticated user holding elevated local privileges to execute arbitrary commands as superuser by exploiting unsanitized format string handling (CWE-134). The attack vector is local and requires high prior privileges (CVSS AV:L/PR:H), significantly limiting the exposure surface compared to a network-exploitable flaw. No public exploit code and no CISA KEV listing have been identified at time of analysis; Nokia has released patches across all affected branch lines. MEDIUM 6.3 0.2% 32
CVE-2025-9912 Local privilege escalation in Nokia SR Linux (multiple release branches prior to 23.10.8, 24.10.6, and 25.7.2) allows an authenticated local user to execute arbitrary commands with superuser (root) privilege. Rooted in CWE-269 (Improper Privilege Management), this flaw enables a user who has already obtained a local session on the network OS to break out of their assigned privilege boundary and gain full control of the system. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, Nokia has confirmed a patch and self-reported the issue. MEDIUM 6.3 0.2% 32
CVE-2025-24819 Relative path traversal in Nokia MantaRay NM Software Manager allows authenticated local network attackers to read sensitive files on the affected system. The vulnerability stems from improper validation of input parameters in the file system handling code, enabling an attacker with local network access and low privileges to enumerate and access files outside the intended directory structure without modifying or disrupting them. No public exploit code or active exploitation has been confirmed at the time of analysis. MEDIUM 5.7 0.0% 29
No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy