A Sudo Privilege Escalation Vulnerability in Nokia MantaRay NM
Summary
| CVE | CVE-2025-7406 |
|---|---|
| State | PUBLISHED |
| Assigner | Nokia |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-30 10:16:33 UTC |
| Updated | 2026-06-30 14:23:38 UTC |
| Description | Nokia MantaRay NM is vulnerable to a sudo privilege escalation vulnerability where a local attacker possessing administrative (local admin) privileges can escalate to full root privileges on the host. Successful exploitation results in root-level access to the filesystem and the ability to execute actions as root. The risk can be temporarily mitigated by restricting the set of commands permitted via sudo for the affected accounts. |
Risk And Classification
Primary CVSS: v3.1 7.8 HIGH from ADP
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.001280000 probability, percentile 0.027920000 (date 2026-07-02)
Problem Types: CWE-269 | CWE-269 CWE-269 Improper Privilege Management
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Nokia | MantaRay NM | affected <NM 25R1-NM | Not specified |
| CNA | Nokia | MantaRay NM | unaffected ≥NM 25R1-NM | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-7406 | b48c3b8f-639e-4c16-8725-497bc411dad0 | www.nokia.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.