6
CVEs
0
Critical
2
High
0
KEV
1
PoC
1
Unpatched C/H
66.7%
Patch Rate
0.3%
Avg EPSS
Severity Breakdown
CRITICAL
0
HIGH
2
MEDIUM
4
LOW
0
Monthly CVE Trend
Affected Products (30)
1350 Optical Management System
10
Netact
7
G 040W Q Firmware
6
Impact
4
Asika Airscale Firmware
4
Mantaray Nm
3
Fastmile Firmware
3
Open Redirect
2
G 120W F Firmware
1
Brute Force
1
Nokia Asha 501 Software
1
Wavelite Metro 200 And F2B Fans Firmware
1
Sr Linux
1
Nokia Maps Places
1
Bcm4329
1
Iphone Os
1
G 2425G A Firmware
1
Wavelite Metro 200 Ops And Fans Firmware
1
Service Router Linux
1
Service Router Operating System
1
Bcm4325
1
Vantage Commander
1
Airframe Bmc Web Gui R18 Firmware
1
Fastmile 5G Receiver Firmware
1
Nokia Sr Linux
1
Linux Kernel
1
Nokia Asha 501
1
Wavelite Metro 200 Ne Ops And F2B Fans Firmware
1
Pc Suite
1
Wavelite Metro 200 Ne And F2B Fans Firmware
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2022-45899 | Nokia Broadcast Message Center (BMC) before 13.1 allows an unauthenticated remote attacker to do OS command injection as root via shell metacharacters in the Log Scanner Search Pattern field. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | MEDIUM | 6.5 | 0.9% | 53 |
PoC
No patch
|
| CVE-2025-24815 | Arbitrary file upload in Nokia MantaRay NM (network management) prior to 25R2-NM allows an authenticated, low-privileged attacker to bypass insufficient file-type validation and place malicious files on the host, leading to full compromise of confidentiality, integrity, and availability (CVSS 7.8). The flaw is a CWE-434 unrestricted upload; the CVSS vector specifies a local attack vector (AV:L) rather than remote network exploitation. No public exploit identified at time of analysis, and the EPSS score is very low (0.18%, 7th percentile). | HIGH | 7.8 | 0.2% | 39 |
|
| CVE-2025-7406 | Local privilege escalation in Nokia MantaRay NM (network management) lets an attacker who already holds local administrative privileges abuse a misconfigured sudo command set to obtain full root access on the host, gaining complete control of the filesystem and arbitrary root command execution. The flaw was reported by Nokia and affects versions prior to NM 25R1-NM, with no public exploit identified at time of analysis and a low EPSS exploitation probability of 0.17%. | HIGH | 7.8 | 0.2% | 39 |
No patch
|
| CVE-2025-24816 | Insufficient authorization enforcement in the Nokia MantaRay NM API allows authenticated low-privilege users to retrieve confidential data beyond their assigned role boundaries. Affected are all Nokia MantaRay NM deployments running versions prior to 25R2-NM, a telecom-focused network management platform. No public exploit code or CISA KEV listing has been identified; with EPSS at 0.18% (7th percentile), real-world exploitation pressure is currently low, though the high confidentiality impact and low attack complexity make patching a priority for any operator with untrusted authenticated users. | MEDIUM | 6.5 | 0.2% | 33 |
|
| CVE-2025-10262 | Local privilege escalation in Nokia SR Linux affects multiple release trains and allows an already-authenticated user holding elevated local privileges to execute arbitrary commands as superuser by exploiting unsanitized format string handling (CWE-134). The attack vector is local and requires high prior privileges (CVSS AV:L/PR:H), significantly limiting the exposure surface compared to a network-exploitable flaw. No public exploit code and no CISA KEV listing have been identified at time of analysis; Nokia has released patches across all affected branch lines. | MEDIUM | 6.3 | 0.2% | 32 |
|
| CVE-2025-9912 | Local privilege escalation in Nokia SR Linux (multiple release branches prior to 23.10.8, 24.10.6, and 25.7.2) allows an authenticated local user to execute arbitrary commands with superuser (root) privilege. Rooted in CWE-269 (Improper Privilege Management), this flaw enables a user who has already obtained a local session on the network OS to break out of their assigned privilege boundary and gain full control of the system. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, Nokia has confirmed a patch and self-reported the issue. | MEDIUM | 6.3 | 0.2% | 32 |
|