Overview
| Field | Details |
|---|---|
| CVE ID | CVE-2025-24818 |
| Severity | High |
| CVSS Score | 8.0 |
| CVSS Vector | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-77 — Improper Neutralization of Special Elements used in a Command (Command Injection) |
| Vendor | Nokia |
| Affected Product | Nokia MantaRay NM |
| Affected Versions | All versions before 25r1-nm |
| Disclosure Date | April 7, 2026 |
Description
Nokia MantaRay NM is vulnerable to an OS Command Injection vulnerability in the Log Search application, due to improper neutralization of special elements used in an OS command. An authenticated attacker on the adjacent network can exploit this flaw without user interaction to execute arbitrary commands on the underlying system.
Impact
Successful exploitation grants the attacker high impact on confidentiality, integrity, and availability — effectively resulting in full system compromise on the affected Nokia MantaRay NM instance.
Remediation
Upgrade Nokia MantaRay NM to version 25r1-nm or later.
References
Credits
Discovered by Carlo Pannullo (TIM Security Red Team Research).