CVE-2025-9974

HIGH

Nokia ONT - Authenticated OS Command Injection via WEBUI Input Handling

Title source: llm

Description

The unified WEBUI application of the ONT/Beacon device contains an input handling flaw that allows authenticated users to trigger unintended system-level command execution. Due to insufficient validation of user-supplied data, a low-privileged authenticated attacker may be able to execute arbitrary commands on the underlying ONT/Beacon operating system, potentially impacting the confidentiality, integrity, and availability of the device.

References (1)

Core 1

Core References

Various Sources

https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-9974/

Scores

CVSS v3 8.0

EPSS 0.0040

EPSS Percentile 31.7%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (2)

Nokia/Nokia ONT BBDR2503 and later releases

Nokia/Nokia ONT Releases prior to BBDR2503

Published Feb 02, 2026

Tracked Since Feb 18, 2026