An unrestricted file upload vulnerability in Nokia MantaRay NM
Summary
| CVE | CVE-2025-24815 |
|---|---|
| State | PUBLISHED |
| Assigner | Nokia |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-30 10:16:32 UTC |
| Updated | 2026-06-30 14:23:38 UTC |
| Description | Nokia MantaRay NM is subject to an unrestricted file upload vulnerability due to insufficient file type validation. Successful exploitation could allow an authenticated attacker to upload malicious files onto the system. |
Risk And Classification
Primary CVSS: v3.1 7.8 HIGH from ADP
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.001510000 probability, percentile 0.046390000 (date 2026-07-02)
Problem Types: CWE-434 | CWE-434 CWE-434 Unrestricted Upload of File with Dangerous Type
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Nokia | MantaRay NM | affected <25R2-NM | Not specified |
| CNA | Nokia | MantaRay NM | unaffected ≥25R2-NM | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24815 | b48c3b8f-639e-4c16-8725-497bc411dad0 | www.nokia.com | |
| www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2026-24815 | MITRE | www.nokia.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.