CVE-2025-24330

Name of the Vulnerable Software and Affected Versions: Nokia Single RAN baseband software versions prior to 24R1-SR 1.0 MP

Description: The issue arises when a crafted SOAP "provision" operation message is sent with a malicious PlanId field within the Mobile Network Operator (MNO) internal Radio Access Network (RAN) management network, causing a path traversal issue. This has been mitigated in release 24R1-SR 1.0 MP and later by performing PlanId field input validations in the OAM service software.

Recommendations: For versions prior to 24R1-SR 1.0 MP, update to release 24R1-SR 1.0 MP or later to resolve the issue. As a temporary workaround, consider restricting access to the SOAP "provision" operation message endpoint to minimize the risk of exploitation. Avoid using the PlanId field in the affected API endpoint until the issue is resolved.