CVE-2025-24333

Nokia Single RAN baseband software earlier than 24R1-SR 1.0 MP contains administrative shell input validation fault, which authenticated admin user can, in theory, potentially use for injecting arbitrary commands for unprivileged baseband OAM service process execution via special characters added to baseband internal COMA_config.xml file. This issue has been corrected starting from release 24R1-SR 1.0 MP and later, by adding proper input validation to OAM service process which prevents injecting special characters via baseband internal COMA_config.xml file.

CVSS v3 6.4 MEDIUM

6.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.5 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2025-24333/

Configurations

No configuration.

History

03 Jul 2025, 15:13

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-02 09:15

Updated : 2025-07-03 15:13

NVD link : CVE-2025-24333

Mitre link : CVE-2025-24333

CVE.ORG link : CVE-2025-24333

JSON object : View

Products Affected

No product.

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2025-24333", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.5}]}, "published": "2025-07-02T09:15:24.800", "references": [{"url": "https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2025-24333/", "source": "b48c3b8f-639e-4c16-8725-497bc411dad0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "Nokia Single RAN baseband software earlier than 24R1-SR 1.0 MP contains administrative shell input validation fault, which authenticated admin user can, in theory, potentially use for injecting arbitrary commands for unprivileged baseband OAM service process execution via special characters added to baseband internal COMA_config.xml file.\n\nThis issue has been corrected starting from release 24R1-SR 1.0 MP and later, by adding proper input validation to OAM service process which prevents injecting special characters via baseband internal COMA_config.xml file."}, {"lang": "es", "value": "El software de banda base de Nokia Single RAN anterior a la versi\u00f3n 24R1-SR 1.0 MP presenta un fallo de validaci\u00f3n de entrada en el shell administrativo. Este fallo, en teor\u00eda, podr\u00eda ser utilizado por un usuario administrador autenticado para inyectar comandos arbitrarios y ejecutar procesos de servicio OAM de banda base sin privilegios mediante la adici\u00f3n de caracteres especiales al archivo interno COMA_config.xml de banda base. Este problema se ha corregido a partir de la versi\u00f3n 24R1-SR 1.0 MP, a\u00f1adiendo una validaci\u00f3n de entrada adecuada al proceso de servicio OAM, lo que impide la inyecci\u00f3n de caracteres especiales mediante el archivo interno COMA_config.xml de banda base."}], "lastModified": "2025-07-03T15:13:53.147", "sourceIdentifier": "b48c3b8f-639e-4c16-8725-497bc411dad0"}