Overview
| Field | Details |
|---|---|
| CVE ID | CVE-2025-27258 |
| Severity | Medium |
| CVSS Score | 6.9 |
| CVSS Vector | CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-284 — Improper Access Control |
| Vendor | Ericsson |
| Affected Product | Ericsson Network Manager (ENM) |
| Affected Versions | All versions before 25.1 GA |
| Disclosure Date | October 13, 2025 |
Description
An Improper Access Control vulnerability in Ericsson Network Manager (ENM) allows an authenticated attacker with adjacent network access to escalate privileges. Exploitation of this flaw enables unauthorized elevation of privileges within the ENM platform, exposing sensitive data accessible only to higher-privileged roles.
Impact
A low-privileged, adjacent network attacker can read high-confidentiality data (VC:H) without any user interaction. Integrity and availability are not directly impacted.
Remediation
Upgrade Ericsson Network Manager to version 25.1 GA or later.
References
Credits
Discovered by the TIM Security Red Team Research team:
Andrea Carlo Maria Dattola, Cristina Coppola, Carlo Pannullo, Massimiliano Brolli.