CVE-2025-24335
SOAP message input validation fault could in theory cause OAM service resource exhaustion

Public disclosure

02-07-2025

Last updated

02-07-2025

Vulnerability type

Denial of Service

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L

CVSS score

2.0

Description

Nokia Single RAN baseband software versions earlier than 24R1-SR 2.1 MP contain a SOAP message input validation flaw, which in theory could potentially be used for causing resource exhaustion in the Single RAN baseband OAM service.

No practical exploit has been detected for this flaw. However, the issue has been corrected starting from release 24R1-SR 2.1 MP by adding sufficient input validation for received SOAP requests, effectively mitigating the reported issue.

This vulnerability is not exploitable from outside the Mobile Network Operator (MNO) internal architecture, such as from mobile network user devices (UEs), roaming networks, or the Internet. The reported software flaw in the Single RAN baseband can only be attempted misused from within the MNO internal Radio Access Network (RAN) management network by sending malformed SOAP messages. 

Affected products and versions

Product

Versions

Nokia Single RAN

All the releases prior to 24R1-SR 2.1 MP

Mitigation plan

The fix has been included starting from 24R1-SR 2.1 MP.

Acknowledgements

  • Guillaume Teissier (P1 Security France)
  • Laurent Ghigonis (P1 Security France) 
  • Radu Balaci (Bell Mobility Canada)
  • Meghna Patel (Bell Mobility Canada)

References

Change history : Initial version is published on 02-07-2025