Skip to main content

Nokia

Vendor security scorecard – 6 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 16
6
CVEs
0
Critical
2
High
0
KEV
1
PoC
1
Unpatched C/H
66.7%
Patch Rate
0.3%
Avg EPSS

Severity Breakdown

CRITICAL
0
HIGH
2
MEDIUM
4
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2022-45899 Nokia Broadcast Message Center (BMC) before 13.1 allows an unauthenticated remote attacker to do OS command injection as root via shell metacharacters in the Log Scanner Search Pattern field. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. MEDIUM 6.5 0.9% 53
PoC No patch
CVE-2025-24815 Arbitrary file upload in Nokia MantaRay NM (network management) prior to 25R2-NM allows an authenticated, low-privileged attacker to bypass insufficient file-type validation and place malicious files on the host, leading to full compromise of confidentiality, integrity, and availability (CVSS 7.8). The flaw is a CWE-434 unrestricted upload; the CVSS vector specifies a local attack vector (AV:L) rather than remote network exploitation. No public exploit identified at time of analysis, and the EPSS score is very low (0.18%, 7th percentile). HIGH 7.8 0.2% 39
CVE-2025-7406 Local privilege escalation in Nokia MantaRay NM (network management) lets an attacker who already holds local administrative privileges abuse a misconfigured sudo command set to obtain full root access on the host, gaining complete control of the filesystem and arbitrary root command execution. The flaw was reported by Nokia and affects versions prior to NM 25R1-NM, with no public exploit identified at time of analysis and a low EPSS exploitation probability of 0.17%. HIGH 7.8 0.2% 39
No patch
CVE-2025-24816 Insufficient authorization enforcement in the Nokia MantaRay NM API allows authenticated low-privilege users to retrieve confidential data beyond their assigned role boundaries. Affected are all Nokia MantaRay NM deployments running versions prior to 25R2-NM, a telecom-focused network management platform. No public exploit code or CISA KEV listing has been identified; with EPSS at 0.18% (7th percentile), real-world exploitation pressure is currently low, though the high confidentiality impact and low attack complexity make patching a priority for any operator with untrusted authenticated users. MEDIUM 6.5 0.2% 33
CVE-2025-10262 Local privilege escalation in Nokia SR Linux affects multiple release trains and allows an already-authenticated user holding elevated local privileges to execute arbitrary commands as superuser by exploiting unsanitized format string handling (CWE-134). The attack vector is local and requires high prior privileges (CVSS AV:L/PR:H), significantly limiting the exposure surface compared to a network-exploitable flaw. No public exploit code and no CISA KEV listing have been identified at time of analysis; Nokia has released patches across all affected branch lines. MEDIUM 6.3 0.2% 32
CVE-2025-9912 Local privilege escalation in Nokia SR Linux (multiple release branches prior to 23.10.8, 24.10.6, and 25.7.2) allows an authenticated local user to execute arbitrary commands with superuser (root) privilege. Rooted in CWE-269 (Improper Privilege Management), this flaw enables a user who has already obtained a local session on the network OS to break out of their assigned privilege boundary and gain full control of the system. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, Nokia has confirmed a patch and self-reported the issue. MEDIUM 6.3 0.2% 32

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy