{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-24819", "assignerOrgId": "b48c3b8f-639e-4c16-8725-497bc411dad0", "state": "PUBLISHED", "assignerShortName": "Nokia", "dateReserved": "2025-01-24T13:25:43.870Z", "datePublished": "2026-04-07T15:14:42.719Z", "dateUpdated": "2026-04-07T17:56:15.517Z"}, "containers": {"cna": {"title": "A Relative Path Traversal vulnerability in Nokia MantaRay NM", "descriptions": [{"lang": "en", "value": "Nokia MantaRay NM is vulnerable to a Relative Path Traversal vulnerability due to improper validation of input parameter on the file system in Software Manager application."}], "affected": [{"vendor": "Nokia", "product": "MantaRay NM", "defaultStatus": "affected", "versions": [{"version": "earlier than 25R1-NM (exclusive)", "status": "affected"}]}], "references": [{"url": "https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24819/"}], "providerMetadata": {"orgId": "b48c3b8f-639e-4c16-8725-497bc411dad0", "shortName": "Nokia", "dateUpdated": "2026-04-07T15:14:42.719Z"}, "x_generator": {"engine": "cveClient/1.0.15"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-23", "lang": "en", "description": "CWE-23 Relative Path Traversal"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T17:46:21.365319Z", "id": "CVE-2025-24819", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T17:56:15.517Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-24819", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T17:46:21.365319Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23 Relative Path Traversal"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T17:42:50.736Z"}}], "cna": {"title": "A Relative Path Traversal vulnerability in Nokia MantaRay NM", "affected": [{"vendor": "Nokia", "product": "MantaRay NM", "versions": [{"status": "affected", "version": "earlier than 25R1-NM (exclusive)"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24819/"}], "x_generator": {"engine": "cveClient/1.0.15"}, "descriptions": [{"lang": "en", "value": "Nokia MantaRay NM is vulnerable to a Relative Path Traversal vulnerability due to improper validation of input parameter on the file system in Software Manager application."}], "providerMetadata": {"orgId": "b48c3b8f-639e-4c16-8725-497bc411dad0", "shortName": "Nokia", "dateUpdated": "2026-04-07T15:14:42.719Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24819", "state": "PUBLISHED", "dateUpdated": "2026-04-07T17:56:15.517Z", "dateReserved": "2025-01-24T13:25:43.870Z", "assignerOrgId": "b48c3b8f-639e-4c16-8725-497bc411dad0", "datePublished": "2026-04-07T15:14:42.719Z", "assignerShortName": "Nokia"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nokia:mantaray_nm:*:*:*:*:*:*:*:*", "matchCriteriaId": "C678CD07-A42D-4168-8852-9C232E8DA11B", "versionEndExcluding": "25r1-nm", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nokia MantaRay NM is vulnerable to a Relative Path Traversal vulnerability due to improper validation of input parameter on the file system in Software Manager application."}], "id": "CVE-2025-24819", "lastModified": "2026-04-22T18:54:31.077", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T16:16:22.917", "references": [{"source": "b48c3b8f-639e-4c16-8725-497bc411dad0", "tags": ["Vendor Advisory"], "url": "https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24819/"}], "sourceIdentifier": "b48c3b8f-639e-4c16-8725-497bc411dad0", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,25R1-NM)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MantaRay NM", "source": "cna", "vendor": "Nokia"}, "product": "mantaray_nm", "vendor": "nokia"}], "analysis": {"en": {"generated_at": "2026-04-07T21:26:20.227643+00:00", "value": {"mitigation_remediation": ["Enterprise: Obtain and apply the latest Nokia MantaRay NM firmware that addresses CVE-2025-24819.", "If a patch is unavailable, restrict external access to the Software Manager interface by firewall rules or network segmentation. ", "Configure the file system permissions for the Software Manager directory to the minimum required, preventing it from reading sensitive locations. ", "Enable logging and monitor for anomalous file access patterns, such as repeated \"..\" sequences, to detect attempted exploitation. ", "Consider employing a web application firewall or intrusion detection system to block or rate-limit path traversal patterns."], "summary": {"action": "Patch", "impact": "Information disclosure via relative path traversal"}, "threat_synthesis": {"affected_systems": "All builds of Nokia MantaRay NM are vulnerable as the defect resides in the core Software Manager component. Without an applied vendor patch, any instance of the device that exposes the Software Manager interface to users or remote agents remains at risk. Specific version identifiers are not supplied, so all deployed firmware versions should be considered affected until a vendor update is released.", "description_and_impact": "The vulnerability originates from the Software Manager application\u2019s failure to properly validate input parameters that reference file system paths. An attacker who can influence these inputs may construct a request containing relative path components such as \"..\\\" or \"../../\" to read files outside the intended directory. This enables the disclosure of sensitive files, potentially exposing configuration data, logs, or other confidential information. The weakness does not grant arbitrary code execution or privilege escalation, but it can compromise confidentiality within the affected device. The weakness corresponds to the CWE-23 classification of relative path traversal.", "risk_and_exploitability": "The CVSS base score of 5.7 indicates moderate impact, reflecting the limited nature of the disclosure. Because EPSS data is unavailable, the assessed likelihood of exploitation remains uncertain, but path traversal flaws are frequently targeted in practice. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no widely known, actively exploited examples at the time of reporting. The probable attack vector is remote, through interactions with the Software Manager interface, which may be accessed over local or network connections depending on configuration. An attacker would need the ability to send crafted input to the application; no additional privileges or user interaction are required beyond that."}}}}, "created": "2026-04-08T19:37:10.844414+00:00", "updated": "2026-04-08T19:48:26.490896+00:00", "vendors": ["nokia", "nokia$PRODUCT$mantaray_nm"]}