CVE-2025-24936
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-21

Last updated on: 2025-08-11

Assigner: Nokia

Description
The web application allows user input to pass unfiltered to a command executed on the underlying operating system. The vulnerable component is bound to the network stack and the set of possible attackers extends up to and including the entire Internet. An attacker with low privileged access to the application has the potential to execute commands on the operating system under the context of the webserver.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-21
Last Modified
2025-08-11
Generated
2026-05-07
AI Q&A
2025-07-21
EPSS Evaluated
2026-05-05
NVD
CVE-2025-24936
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
nokia wavesuite_noc 23.6
nokia wavesuite_noc 23.12
nokia wavesuite_noc 24.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-24936 is a command injection vulnerability in Nokia's WaveSuite NOC products where user input in the URL is not properly validated and is passed directly to operating system commands. This allows an attacker with low privileged access to the web application to execute arbitrary commands on the underlying operating system with the webserver's privileges. The vulnerability is exposed to the network, potentially the entire Internet. [1]


How can this vulnerability impact me? :

This vulnerability can have a severe impact by allowing attackers to execute arbitrary commands on the server, potentially leading to full system compromise. It affects confidentiality, integrity, and availability of the system, meaning sensitive data could be exposed or altered, and services could be disrupted or taken down. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection can involve checking for unusual or unauthorized command executions originating from the web application, especially commands triggered by URL parameters. Network monitoring for suspicious HTTP requests containing unusual input patterns may help. Specific commands are not provided in the resources, but generally, reviewing web server logs for suspicious input or using intrusion detection systems to flag command injection patterns is recommended. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading the affected Nokia WaveSuite NOC products to version 24.6 FP3 or later, where the fix has been implemented. Additionally, restricting access to the web application, applying input validation and sanitization, and monitoring for suspicious activity can help reduce risk until the patch is applied. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart