CVE-2025-24331
Nokia Single RAN baseband OAM service extensive capabilities

Public disclosure

02-07-2025

Last updated

02-07-2025

Vulnerability type

Elevated capabilities

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS score

6.4

Description

The Single RAN baseband OAM service is intended to run as an unprivileged service. However, it initially starts with root privileges and assigns certain capabilities before dropping to an unprivileged level. The capabilities retained from the root period are considered extensive after the privilege drop and, in theory, could potentially allow actions beyond the intended scope of the OAM service. These actions could include gaining root privileges, accessing root-owned files, modifying them as the file owner, and then returning them to root ownership. 

This vulnerability is not exploitable from outside the Mobile Network Operator (MNO) internal architecture, such as from mobile network user devices (UEs), roaming networks, or the Internet. Beginning with release 24R1-SR 0.2 MP, the OAM service software capabilities are restricted to the minimum necessary.

No practical exploit has been detected for this extensive capabilities issue in the OAM service. However, in theory, it could potentially have unknown misuse scenarios from within the MNO internal Radio Access Network (RAN) management network by an authenticated Single RAN base station administrative user, in software versions earlier than release 24R1-SR 0.2 MP.

Affected products and versions

Product

Versions

Nokia Single RAN

All the releases prior to 24R1-SR 0.2 MP

Mitigation plan

The fix has been included starting from 24R1-SR 0.2 MP.

Acknowledgements

  • Guillaume Teissier (P1 Security France)
  • Laurent Ghigonis (P1 Security France) 
  • Radu Balaci (Bell Mobility Canada)
  • Meghna Patel (Bell Mobility Canada)

References

Change history : Initial version is published on 02-07-2025