CVE-2025-24335
SOAP message input validation fault could in theory cause OAM service resource exhaustion
Public disclosure |
02-07-2025 |
|---|---|
Last updated |
02-07-2025 |
Vulnerability type |
Denial of Service |
CVSS vector |
CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L |
CVSS score |
2.0 |
Description
Nokia Single RAN baseband software versions earlier than 24R1-SR 2.1 MP contain a SOAP message input validation flaw, which in theory could potentially be used for causing resource exhaustion in the Single RAN baseband OAM service.
No practical exploit has been detected for this flaw. However, the issue has been corrected starting from release 24R1-SR 2.1 MP by adding sufficient input validation for received SOAP requests, effectively mitigating the reported issue.
This vulnerability is not exploitable from outside the Mobile Network Operator (MNO) internal architecture, such as from mobile network user devices (UEs), roaming networks, or the Internet. The reported software flaw in the Single RAN baseband can only be attempted misused from within the MNO internal Radio Access Network (RAN) management network by sending malformed SOAP messages.
Affected products and versions
Product |
Versions |
|---|---|
Nokia Single RAN |
All the releases prior to 24R1-SR 2.1 MP |
Mitigation plan
The fix has been included starting from 24R1-SR 2.1 MP.
Acknowledgements
- Guillaume Teissier (P1 Security France)
- Laurent Ghigonis (P1 Security France)
- Radu Balaci (Bell Mobility Canada)
- Meghna Patel (Bell Mobility Canada)
References
Change history : Initial version is published on 02-07-2025