Overview
| Field | Details |
|---|---|
| CVE ID | CVE-2025-24817 |
| Severity | High |
| CVSS Score | 8.0 |
| CVSS Vector | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-78 — Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) |
| Vendor | Nokia |
| Affected Product | Nokia MantaRay NM |
| Affected Versions | All versions before 25r1-nm |
| Disclosure Date | April 7, 2026 |
Description
Nokia MantaRay NM is vulnerable to an OS Command Injection vulnerability due to improper neutralization of special elements used in an OS command. An authenticated attacker on the adjacent network can exploit this flaw without any user interaction to achieve full compromise of the target system.
Impact
Successful exploitation grants the attacker high impact on confidentiality, integrity, and availability — effectively resulting in full system compromise on the affected Nokia MantaRay NM instance.
Remediation
Upgrade Nokia MantaRay NM to version 25r1-nm or later.
References
Credits
Discovered by Carlo Pannullo (TIM Security Red Team Research).