Summary : Security Advisory: Two command injection vulnerabilities have been found in Nokia’s WaveSuite Network Operations Center (WS-NOC), a key tool used to manage telecom and enterprise networks.

OEM	Nokia
Severity	Critical
CVSS Score	9.0
CVEs	CVE-2025-24936, CVE-2025-24938
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

These vulnerabilities allow attackers with limited access to run malicious commands on the system’s operating system. The vulnerabilities affect WS-NOC versions 23.6, 23.12, and 24.6. Nokia has released fixes in version 24.6 FP3 and newer. 

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
​ Command Injection Vulnerability	CVE-2025-24936	Nokia WS-NOC	Critical	v24.6 FP3 & later
​ Command Injection Vulnerability	CVE-2025-24938	Nokia WS-NOC	High	v24.6 FP3 & later

Technical Summary 

The first vulnerability, CVE-2025-24936, CVSS- 9.0 due to the system doesn’t properly check parts of a web address (URL). The attacker with low privileged access can trick the system into running malicious commands, as if they were part of the system itself. As this flaw has been published, attackers can remotely target exposed or inadequately secured administrative pages. 

The second issue, with the CVE-2025-24938, CVSS- 8.4 affects to new user accounts are created through the web interface. In this case, with high privileged access – administrators can intentionally enter harmful commands because their input isn’t being filtered properly. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025- 24936	WS-NOC 23.6, 23.12, 24.6	Unfiltered URL input enables command injection by low-privileged users.	Remote code execution
CVE-2025- 24938	WS-NOC 23.6, 23.12, 24.6	Insufficient input validation during account creation enables command injection.	Privilege escalation, Remote code execution

Remediation: 

• Immediate Action: Upgrade WS-NOC to version 24.6 FP3 or latest one to mitigate both vulnerabilities. 

Recommendations: 

• Configuration Check: Restrict admin panel and WS-NOC access to trusted, internal networks only. 

• Environment Hardening: Regularly audit user privileges, conduct input validation reviews, and deploy security monitoring for unusual command executions originating from the WS-NOC application. 

Conclusion: 

CVE-2025-24936 and CVE-2025-24938 are critical command injection vulnerabilities in Nokia WaveSuite NOC, which is used in telecom systems around the world. These vulnerabilities allow attackers to execute malicious commands with limited access. As these systems are part of critical infrastructure, prompt patching is essential to prevent potential remote attacks and network disruption. 

References: 

• https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2025-24936/ 

• https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2025-24938/ 

• https://securityonline.info/critical-flaw-cve-2025-24936-cvss-9-0-in-nokia-wavesuite-noc-expose-telecom-networks-to-rce/