CVE-2025-24333
BaseFortify
Publication date: 2025-07-02
Last updated on: 2025-07-03
Assigner: Nokia
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Nokia Single RAN baseband software versions earlier than 24R1-SR 1.0 MP. It is an administrative shell input validation fault that allows an authenticated admin user to potentially inject arbitrary commands into the unprivileged baseband OAM service process by adding special characters to the baseband internal COMA_config.xml file. This could lead to unintended command execution within the system.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an authenticated admin user to execute arbitrary commands within the baseband OAM service process, which operates with unprivileged rights. This could lead to unauthorized actions or disruptions in the baseband system's operation, potentially affecting the stability and security of the affected network equipment.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Nokia Single RAN baseband software to version 24R1-SR 1.0 MP or later, as these versions include proper input validation that prevents command injection via the COMA_config.xml file.