CVE-2025-9974
BaseFortify
Publication date: 2026-02-02
Last updated on: 2026-02-03
Assigner: Nokia
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nokia | beacon | to BBDR2503 (exc) |
| nokia | ont | to BBDR2503 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9974 is an authenticated OS command injection vulnerability in the unified WEBUI application of Nokia ONT/Beacon devices. It occurs because the application does not properly validate user-supplied input, allowing a low-privileged authenticated user to execute arbitrary system-level commands on the device's operating system. This means an attacker with limited access can run commands that were not intended, potentially compromising the device. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by compromising the confidentiality, integrity, and availability of the affected Nokia ONT/Beacon devices. An attacker exploiting this flaw could execute arbitrary commands on the device, potentially leading to unauthorized access to sensitive information, modification or deletion of data, and disruption or denial of device services. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the firmware of your Nokia Beacon and ONT devices to version BBDR2503 or later, as this release contains the fix for the issue. Additionally, contact Nokia support for further assistance if needed. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows low-privileged authenticated users to execute arbitrary system-level commands, potentially compromising the confidentiality, integrity, and availability of the device. Such compromises can lead to violations of common standards and regulations like GDPR and HIPAA, which require protection of data confidentiality and integrity. Therefore, this vulnerability may negatively impact compliance with these regulations if exploited. [1]