{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-24817", "assignerOrgId": "b48c3b8f-639e-4c16-8725-497bc411dad0", "state": "PUBLISHED", "assignerShortName": "Nokia", "dateReserved": "2025-01-24T13:25:43.869Z", "datePublished": "2026-04-07T15:09:47.125Z", "dateUpdated": "2026-04-08T16:15:12.963Z"}, "containers": {"cna": {"title": "An OS Command Injection vulnerability in Nokia MantaRay NM", "descriptions": [{"lang": "en", "value": "Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Symptom Collector application."}], "affected": [{"vendor": "Nokia", "product": "MantaRay NM", "defaultStatus": "affected", "versions": [{"version": "Earlier than 25R1-NM (exclusive)", "status": "affected"}]}], "references": [{"url": "https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24817/"}], "providerMetadata": {"orgId": "b48c3b8f-639e-4c16-8725-497bc411dad0", "shortName": "Nokia", "dateUpdated": "2026-04-07T15:09:47.125Z"}, "x_generator": {"engine": "cveClient/1.0.15"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:47:32.334342Z", "id": "CVE-2025-24817", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:15:12.963Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-24817", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T15:47:32.334342Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:48:07.045Z"}}], "cna": {"title": "An OS Command Injection vulnerability in Nokia MantaRay NM", "affected": [{"vendor": "Nokia", "product": "MantaRay NM", "versions": [{"status": "affected", "version": "Earlier than 25R1-NM (exclusive)"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24817/"}], "x_generator": {"engine": "cveClient/1.0.15"}, "descriptions": [{"lang": "en", "value": "Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Symptom Collector application."}], "providerMetadata": {"orgId": "b48c3b8f-639e-4c16-8725-497bc411dad0", "shortName": "Nokia", "dateUpdated": "2026-04-07T15:09:47.125Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24817", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:15:12.963Z", "dateReserved": "2025-01-24T13:25:43.869Z", "assignerOrgId": "b48c3b8f-639e-4c16-8725-497bc411dad0", "datePublished": "2026-04-07T15:09:47.125Z", "assignerShortName": "Nokia"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nokia:mantaray_nm:*:*:*:*:*:*:*:*", "matchCriteriaId": "C678CD07-A42D-4168-8852-9C232E8DA11B", "versionEndExcluding": "25r1-nm", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Symptom Collector application."}], "id": "CVE-2025-24817", "lastModified": "2026-04-22T18:54:09.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T16:16:22.690", "references": [{"source": "b48c3b8f-639e-4c16-8725-497bc411dad0", "tags": ["Vendor Advisory"], "url": "https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24817/"}], "sourceIdentifier": "b48c3b8f-639e-4c16-8725-497bc411dad0", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,25R1-NM)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MantaRay NM", "source": "cna", "vendor": "Nokia"}, "product": "mantaray_nm", "vendor": "nokia"}], "analysis": {"en": {"generated_at": "2026-04-08T18:55:13.093805+00:00", "value": {"mitigation_remediation": ["Apply the official Nokia patch or upgrade to the latest MantaRay NM firmware that eliminates the OS command injection in the Symptom Collector component.", "Verify that any external interfaces exposing Symptom Collector are secured behind authentication and firewall rules to limit access to trusted users only.", "If a patch is not yet available, consider disabling or restricting access to the Symptom Collector application until remediation is applied."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Nokia MantaRay NM. No specific firmware or software version ranges are cited in the available data. Administrators should review the Nokia security advisory linked above to determine whether their deployed versions are susceptible.", "description_and_impact": "The vulnerability is an OS command injection in the Symptom Collector application of Nokia MantaRay NM, arising from insufficient sanitization of special elements used in OS commands. This flaw allows an attacker to inject arbitrary commands into the underlying operating system, turning it into a remote code execution vector. If successfully exploited, the attacker could execute any system command with the privileges of the Symptom Collector process, potentially compromising confidentiality, integrity, or availability of the device.", "risk_and_exploitability": "The CVSS score of 8 classifies the issue as High severity. The EPSS value of less than 1% indicates a low probability of exploitation under current conditions, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation would occur remotely through the Symptom Collector interface, requiring network access to the device. The path would involve submitting a crafted input that bypasses sanitization and triggers the underlying OS command execution."}}}}, "created": "2026-04-08T19:37:12.879306+00:00", "updated": "2026-04-08T19:48:28.663414+00:00", "vendors": ["nokia", "nokia$PRODUCT$mantaray_nm"]}