Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    96 vulnerabilities by Ericsson

    CVE-2025-59174 (GCVE-0-2025-59174)

    Vulnerability from nvd – Published: 2026-06-05 13:44 – Updated: 2026-06-05 20:09
    VLAI
    Summary
    Ericsson Packet Core Controller (PCC) versions prior to 1.39 contain a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-228 - Improper Handling of Syntactically Invalid Structure
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Packet Core Controller Affected: 0 , < 1.39 (custom)
    Create a notification for this product.
    Date Public
    2026-06-02 11:12
    Credits
    The UK Telecoms Lab (UKTL) The UK’s National Cyber Security Centre (NCSC)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59174",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-05T20:09:12.098289Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-05T20:09:18.706Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Packet Core Controller",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.39",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "1.39",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "The UK Telecoms Lab (UKTL)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "The UK\u2019s National Cyber Security Centre (NCSC)"
            }
          ],
          "datePublic": "2026-06-02T11:12:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ericsson Packet Core Controller (PCC) versions prior to 1.39 contain a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation."
                }
              ],
              "value": "Ericsson Packet Core Controller (PCC) versions prior to 1.39 contain a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-228",
                  "description": "CWE-228: Improper Handling of Syntactically Invalid Structure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T13:44:39.149Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://ericsson.com/en/about-us/security/psirt/CVE-2025-59174"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-59174",
        "datePublished": "2026-06-05T13:44:39.149Z",
        "dateReserved": "2025-09-10T13:24:49.360Z",
        "dateUpdated": "2026-06-05T20:09:18.706Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25659 (GCVE-0-2026-25659)

    Vulnerability from nvd – Published: 2026-06-05 11:08 – Updated: 2026-06-05 20:11
    VLAI
    Title
    Ericsson Packet Core Gateway (PCG) - Improper handling of missing values Vulnerability
    Summary
    Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Missing Values (CWE-230) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-230 - Improper handling of missing values
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Packet Core Gateway (PCG) Affected: 0 , < 1.30 (1.30)
    Create a notification for this product.
    Credits
    Clemens Keil, Manfred Heinz, Patrick Walker of BDO Cyber Security GmbH BSI 5G/6G Security Lab TEMIS (Federal Office for Information Security, Germany)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25659",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-05T20:11:16.225932Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-05T20:11:23.341Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Packet Core Gateway (PCG)",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.30",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "1.30",
                  "status": "affected",
                  "version": "0",
                  "versionType": "1.30"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Clemens Keil, Manfred Heinz, Patrick Walker of BDO Cyber Security GmbH"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "BSI 5G/6G Security Lab TEMIS (Federal Office for Information Security, Germany)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eEricsson\nPacket Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling\nof Missing Values (CWE-230) vulnerability where an attacker continuously\nsending a specially crafted message can cause service degradation.\u0026nbsp;\u003cspan\u003eThe impact continues as long the attack persists but the system recovers from the crashes when the attack stops.\u003c/span\u003e\u003c/p\u003e"
                }
              ],
              "value": "Ericsson\nPacket Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling\nof Missing Values (CWE-230) vulnerability where an attacker continuously\nsending a specially crafted message can cause service degradation.\u00a0The impact continues as long the attack persists but the system recovers from the crashes when the attack stops."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-230",
                  "description": "CWE-230 Improper handling of missing values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T11:08:39.929Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/cve-2026-25659"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Packet Core Gateway (PCG) - Improper handling of missing values Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2026-25659",
        "datePublished": "2026-06-05T11:08:39.929Z",
        "dateReserved": "2026-02-04T12:41:54.869Z",
        "dateUpdated": "2026-06-05T20:11:23.341Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25658 (GCVE-0-2026-25658)

    Vulnerability from nvd – Published: 2026-06-05 11:06 – Updated: 2026-06-05 20:11
    VLAI
    Title
    Ericsson Packet Core Gateway (PCG) - Improper handling of missing values Vulnerability
    Summary
    Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Missing Values (CWE-230) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-230 - Improper handling of missing values
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Packet Core Gateway (PCG) Affected: 0 , < 1.30 (1.30)
    Create a notification for this product.
    Credits
    Clemens Keil, Manfred Heinz, Patrick Walker of BDO Cyber Security GmbH BSI 5G/6G Security Lab TEMIS (Federal Office for Information Security, Germany)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25658",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-05T20:11:36.044286Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-05T20:11:42.365Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Packet Core Gateway (PCG)",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.30",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "1.30",
                  "status": "affected",
                  "version": "0",
                  "versionType": "1.30"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Clemens Keil, Manfred Heinz, Patrick Walker of BDO Cyber Security GmbH"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "BSI 5G/6G Security Lab TEMIS (Federal Office for Information Security, Germany)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eEricsson\nPacket Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling\nof Missing Values (CWE-230) vulnerability where an attacker continuously\nsending a specially crafted message can cause service degradation.\u0026nbsp;\u003cspan\u003eThe impact continues as long the attack persists but the system recovers from the crashes when the attack stops.\u003c/span\u003e\u003c/p\u003e"
                }
              ],
              "value": "Ericsson\nPacket Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling\nof Missing Values (CWE-230) vulnerability where an attacker continuously\nsending a specially crafted message can cause service degradation.\u00a0The impact continues as long the attack persists but the system recovers from the crashes when the attack stops."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-230",
                  "description": "CWE-230 Improper handling of missing values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T11:06:27.504Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/cve-2026-25658"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Packet Core Gateway (PCG) - Improper handling of missing values Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2026-25658",
        "datePublished": "2026-06-05T11:06:27.504Z",
        "dateReserved": "2026-02-04T12:41:54.869Z",
        "dateUpdated": "2026-06-05T20:11:42.365Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25657 (GCVE-0-2026-25657)

    Vulnerability from nvd – Published: 2026-06-05 11:03 – Updated: 2026-06-05 20:11
    VLAI
    Title
    Ericsson Packet Core Gateway (PCG) - Improper Handling of Syntactically Invalid Structure Vulnerability
    Summary
    Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Syntactically Invalid Structure (CWE-228) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Packet Core Gateway (PCG) Affected: 0 , < 1.30 (1.30)
    Create a notification for this product.
    Credits
    Clemens Keil, Manfred Heinz, Patrick Walker of BDO Cyber Security GmbH BSI 5G/6G Security Lab TEMIS (Federal Office for Information Security, Germany)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25657",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-05T20:11:51.419993Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-05T20:11:57.051Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Packet Core Gateway (PCG)",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.30",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "1.30",
                  "status": "affected",
                  "version": "0",
                  "versionType": "1.30"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Clemens Keil, Manfred Heinz, Patrick Walker of BDO Cyber Security GmbH"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "BSI 5G/6G Security Lab TEMIS (Federal Office for Information Security, Germany)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eEricsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Syntactically Invalid Structure (CWE-228) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.\u003c/p\u003e"
                }
              ],
              "value": "Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Syntactically Invalid Structure (CWE-228) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-228",
                  "description": "CWE-228",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T11:03:02.273Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/cve-2026-25657"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Packet Core Gateway (PCG) - Improper Handling of Syntactically Invalid Structure Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2026-25657",
        "datePublished": "2026-06-05T11:03:02.273Z",
        "dateReserved": "2026-02-04T12:41:54.869Z",
        "dateUpdated": "2026-06-05T20:11:57.051Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25660 (GCVE-0-2026-25660)

    Vulnerability from nvd – Published: 2026-04-24 13:10 – Updated: 2026-04-24 13:51 X_Open Source
    VLAI
    Title
    Authentication bypass for certain API calls
    Summary
    CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls.  This bypass allows assigning arbitrary permission to any user existing in CodeChecker. This issue affects CodeChecker: through 6.27.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication bypass by spoofing
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Ericsson CodeChecker Affected: 0 , ≤ 6.27.3 (python)
    Create a notification for this product.
    Credits
    Scott Tolley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25660",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T13:50:59.651031Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T13:51:11.174Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CodeChecker",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "6.27.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "6.27.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Scott Tolley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan\u003eCodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. \u003c/span\u003e\u003cbr\u003e\u003cp\u003eAuthentication bypass occurs when the URL ends with Authentication with certain function calls.\u0026nbsp; This bypass allows assigning arbitrary permission to any user existing in CodeChecker.\u003c/p\u003e\u003cp\u003eThis issue affects CodeChecker: through 6.27.3.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. \nAuthentication bypass occurs when the URL ends with Authentication with certain function calls.\u00a0 This bypass allows assigning arbitrary permission to any user existing in CodeChecker.\n\nThis issue affects CodeChecker: through 6.27.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "USER",
                "Safety": "NEGLIGIBLE",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "PROOF_OF_CONCEPT",
                "privilegesRequired": "NONE",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:N/AU:Y/R:U/V:C/RE:M/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication bypass by spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T13:10:26.171Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-4v9x-cqc5-j645"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "Authentication bypass for certain API calls",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2026-25660",
        "datePublished": "2026-04-24T13:10:26.171Z",
        "dateReserved": "2026-02-04T12:41:54.869Z",
        "dateUpdated": "2026-04-24T13:51:11.174Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-53828 (GCVE-0-2024-53828)

    Vulnerability from nvd – Published: 2026-04-01 09:49 – Updated: 2026-04-01 12:39
    VLAI
    Title
    Ericsson Packet Core Controller (PCC) - Improper Handling of Syntactically Invalid Structure Vulnerability
    Summary
    Ericsson Packet Core Controller (PCC) versions prior to 1.38 contain a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Packet Core Controller (PCC) Affected: 0 , < 1.38 (1.38)
    Create a notification for this product.
    Credits
    The UK’s National Cyber Security Centre (NCSC) The UK Telecoms Lab (UKTL)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-53828",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-01T12:39:12.844626Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-01T12:39:41.380Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Packet Core Controller (PCC)",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.38",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "1.38",
                  "status": "affected",
                  "version": "0",
                  "versionType": "1.38"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "The UK\u2019s National Cyber Security Centre (NCSC)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "The UK Telecoms Lab (UKTL)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ericsson Packet Core Controller (PCC) versions prior\nto 1.38 contain a vulnerability where an attacker sending a large volume of\nspecially crafted messages may cause service degradation."
                }
              ],
              "value": "Ericsson Packet Core Controller (PCC) versions prior\nto 1.38 contain a vulnerability where an attacker sending a large volume of\nspecially crafted messages may cause service degradation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-228",
                  "description": "CWE-228",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-01T09:49:18.214Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/CVE-2024-53828"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Packet Core Controller (PCC) - Improper Handling of Syntactically Invalid Structure Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2024-53828",
        "datePublished": "2026-04-01T09:49:18.214Z",
        "dateReserved": "2024-11-22T14:21:37.002Z",
        "dateUpdated": "2026-04-01T12:39:41.380Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-40842 (GCVE-0-2025-40842)

    Vulnerability from nvd – Published: 2026-03-25 13:10 – Updated: 2026-03-25 13:44
    VLAI
    Title
    Ericsson Indoor Connect 8855 - Improper Neutralization of Input During Web Page Generation Vulnerability
    Summary
    Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Scripting (XSS) vulnerability which, if exploited, can lead to unauthorized disclosure and modification of certain information.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Indoor Connect 8855 Affected: 0 , < 2025.Q3 (custom)
    Create a notification for this product.
    Credits
    Telstra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-40842",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-25T13:44:02.789000Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-25T13:44:10.955Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Indoor Connect 8855",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2025.Q3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.Q3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Telstra"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ericsson Indoor Connect 8855 versions prior to 2025.Q3\u0026nbsp;contains a\nCross-Site Scripting (XSS) vulnerability which, if exploited, can lead to\nunauthorized disclosure and modification of certain information.\u0026nbsp;"
                }
              ],
              "value": "Ericsson Indoor Connect 8855 versions prior to 2025.Q3\u00a0contains a\nCross-Site Scripting (XSS) vulnerability which, if exploited, can lead to\nunauthorized disclosure and modification of certain information."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-25T13:15:53.253Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-indoorconnect-march-2026"
            },
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/CVE-2025-40842"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Indoor Connect 8855 - Improper Neutralization of Input During Web Page Generation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-40842",
        "datePublished": "2026-03-25T13:10:44.010Z",
        "dateReserved": "2025-04-16T08:59:01.744Z",
        "dateUpdated": "2026-03-25T13:44:10.955Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-40841 (GCVE-0-2025-40841)

    Vulnerability from nvd – Published: 2026-03-25 13:07 – Updated: 2026-03-25 13:44
    VLAI
    Title
    Ericsson Indoor Connect 8855 - Cross-Site Request Forgery Vulnerability
    Summary
    Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead to unauthorized modification of certain information.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site request forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Indoor Connect 8855 Affected: 0 , < 2025.Q3 (custom)
    Create a notification for this product.
    Credits
    Telstra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-40841",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-25T13:44:36.014812Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-25T13:44:45.962Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Indoor Connect 8855",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2025.Q3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.Q3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Telstra"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ericsson Indoor Connect 8855 versions prior to 2025.Q3\u0026nbsp;contains a\nCross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead\nto unauthorized modification of certain information.\u0026nbsp;"
                }
              ],
              "value": "Ericsson Indoor Connect 8855 versions prior to 2025.Q3\u00a0contains a\nCross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead\nto unauthorized modification of certain information."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site request forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-25T13:17:23.852Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-indoorconnect-march-2026"
            },
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/CVE-2025-40841"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Indoor Connect 8855 - Cross-Site Request Forgery  Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-40841",
        "datePublished": "2026-03-25T13:07:53.229Z",
        "dateReserved": "2025-04-16T08:59:01.744Z",
        "dateUpdated": "2026-03-25T13:44:45.962Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-27260 (GCVE-0-2025-27260)

    Vulnerability from nvd – Published: 2026-03-25 12:54 – Updated: 2026-03-25 13:50
    VLAI
    Title
    Ericsson Indoor Connect 8855 - Improper Filtering of Special Elements Vulnerability
    Summary
    Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filtering of Special Elements vulnerability which, if exploited, can lead to unauthorized modification of certain information
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Indoor Connect 8855 Affected: 0 , < 2025.Q3 (custom)
    Create a notification for this product.
    Credits
    Telstra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27260",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-25T13:50:26.371520Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-25T13:50:33.976Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Indoor Connect 8855",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2025.Q3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.Q3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Telstra"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ericsson\nIndoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filtering of Special\nElements\u0026nbsp;vulnerability which, if exploited, can lead to unauthorized\nmodification of certain information"
                }
              ],
              "value": "Ericsson\nIndoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filtering of Special\nElements\u00a0vulnerability which, if exploited, can lead to unauthorized\nmodification of certain information"
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-790",
                  "description": "CWE-790",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-25T13:18:23.060Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-indoorconnect-march-2026"
            },
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/CVE-2025-27260"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Indoor Connect 8855 - Improper Filtering of Special Elements Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-27260",
        "datePublished": "2026-03-25T12:54:46.406Z",
        "dateReserved": "2025-02-21T08:58:20.367Z",
        "dateUpdated": "2026-03-25T13:50:33.976Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-40843 (GCVE-0-2025-40843)

    Vulnerability from nvd – Published: 2025-10-28 18:49 – Updated: 2025-10-28 19:30 X_Open Source
    VLAI
    Title
    Buffer overflow in CodeChecker log command
    Summary
    CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. CodeChecker versions up to 6.26.1 contain a buffer overflow vulnerability in the internal ldlogger library, which is executed by the CodeChecker log command. This issue affects CodeChecker: through 6.26.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack based buffer overflow
    Assigner
    References
    Impacted products
    Vendor Product Version
    Ericsson CodeChecker Affected: 0 , ≤ 6.26.1 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-40843",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-28T19:30:15.826239Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-28T19:30:25.737Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "CodeChecker",
              "vendor": "Ericsson",
              "versions": [
                {
                  "lessThanOrEqual": "6.26.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. \u003c/span\u003e\u003cbr\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eCodeChecker versions up to 6.26.1 contain a buffer overflow vulnerability in the internal \u003ccode\u003eldlogger\u003c/code\u003e\u0026nbsp;library, which is executed by the \u003ccode\u003eCodeChecker log\u003c/code\u003e\u0026nbsp;command.\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects CodeChecker: through 6.26.1.\u003c/p\u003e"
                }
              ],
              "value": "CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. \n\n\n\n\nCodeChecker versions up to 6.26.1 contain a buffer overflow vulnerability in the internal ldlogger\u00a0library, which is executed by the CodeChecker log\u00a0command.\n\n\n\n\n\nThis issue affects CodeChecker: through 6.26.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-28T18:49:49.516Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-5xf2-f6ch-6p8r"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "Buffer overflow in CodeChecker log command",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-40843",
        "datePublished": "2025-10-28T18:49:49.516Z",
        "dateReserved": "2025-04-16T08:59:01.744Z",
        "dateUpdated": "2025-10-28T19:30:25.737Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-27259 (GCVE-0-2025-27259)

    Vulnerability from nvd – Published: 2025-10-13 06:16 – Updated: 2025-10-14 16:06
    VLAI
    Title
    Ericsson Network Manager: improper neutralization of user controlled input
    Summary
    Ericsson Network Manager versions prior to ENM 25.2 GA contain a vulnerability that, if exploited, can exfiltrate limited data or redirect victims to other sites or domains.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Ericsson Network Manager(ENM) Affected: 0 , < all versions prior to 25.2 (custom)
    Create a notification for this product.
    Date Public
    2025-10-10 07:31
    Credits
    Ericsson would like to thank the following personnel from TIM Security Red Team Research for reporting these issues to us: Andrea Carlo Maria Dattola, Cristina Coppola, Carlo Pannullo, Massimiliano Brolli
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27259",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-14T16:01:04.095742Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-14T16:06:38.469Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Ericsson Network Manager(ENM)",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "Version 25.2 or later",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "all versions prior to 25.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ericsson would like to thank the following personnel from TIM Security Red Team Research for reporting these issues to us: Andrea Carlo Maria Dattola, Cristina Coppola, Carlo Pannullo, Massimiliano Brolli"
            }
          ],
          "datePublic": "2025-10-10T07:31:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eEricsson Network Manager versions prior to ENM 25.2 GA contain a vulnerability that, if exploited, can exfiltrate limited data or redirect victims to other sites or domains. \u0026nbsp;\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "Ericsson Network Manager versions prior to ENM 25.2 GA contain a vulnerability that, if exploited, can exfiltrate limited data or redirect victims to other sites or domains."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-13T06:16:37.104Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-enm-october-2025"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Network Manager: improper neutralization of user controlled input",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-27259",
        "datePublished": "2025-10-13T06:16:37.104Z",
        "dateReserved": "2025-02-21T08:58:20.367Z",
        "dateUpdated": "2025-10-14T16:06:38.469Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-27258 (GCVE-0-2025-27258)

    Vulnerability from nvd – Published: 2025-10-13 06:25 – Updated: 2025-10-14 15:29
    VLAI
    Title
    Ericsson Network Manager: escalation of privilege vulnerability
    Summary
    Ericsson Network Manager (ENM) versions prior to ENM 25.1 GA contain a vulnerability, if exploited, can result in an escalation of privilege.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Ericsson Network Manager(ENM) Affected: 0 , < 25.1 (custom)
    Create a notification for this product.
    Date Public
    2025-10-10 07:31
    Credits
    Ericsson would like to thank the following personnel from TIM Security Red Team Research for reporting these issues to us: Andrea Carlo Maria Dattola, Cristina Coppola, Carlo Pannullo, Massimiliano Brolli
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27258",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-14T15:29:36.817155Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-14T15:29:59.253Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Ericsson Network Manager(ENM)",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "Version 25.1 or later",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "25.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ericsson would like to thank the following personnel from TIM Security Red Team Research for reporting these issues to us: Andrea Carlo Maria Dattola, Cristina Coppola, Carlo Pannullo, Massimiliano Brolli"
            }
          ],
          "datePublic": "2025-10-10T07:31:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;Ericsson Network Manager (ENM) versions prior to ENM 25.1 GA contain a vulnerability, if exploited, can result in an escalation of privilege.\u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "Ericsson Network Manager (ENM) versions prior to ENM 25.1 GA contain a vulnerability, if exploited, can result in an escalation of privilege."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-13T06:25:32.326Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-enm-october-2025"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Network Manager: escalation of privilege vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-27258",
        "datePublished": "2025-10-13T06:25:32.326Z",
        "dateReserved": "2025-02-21T08:58:20.366Z",
        "dateUpdated": "2025-10-14T15:29:59.253Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-0636 (GCVE-0-2025-0636)

    Vulnerability from nvd – Published: 2025-10-13 06:26 – Updated: 2025-10-14 13:25
    VLAI
    Title
    Arbitrary Code Execution vulnerability in Ericsson RAN Compute and Site Controller
    Summary
    EMCLI contains a high severity vulnerability where improper neutralization of special elements used in an OS command could be exploited leading to Arbitrary Code Execution.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Date Public
    2025-10-10 06:50
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0636",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-14T13:25:34.279595Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-14T13:25:42.989Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Site Controller 6610",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "S24.Q2, S24.Q3.1 S24.Q4 S25.Q1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "S24.Q2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "RAN Compute (all BB versions)",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.Q1.C5 24.Q2 24.Q3 24.Q4 25.Q1 RCG123.1 RCG123.2 RCG123.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "24.Q1.C5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2025-10-10T06:50:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eEMCLI contains a high severity vulnerability where improper neutralization of special elements used in an OS command could be exploited leading to Arbitrary Code Execution. \u0026nbsp; \u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "EMCLI contains a high severity vulnerability where improper neutralization of special elements used in an OS command could be exploited leading to Arbitrary Code Execution."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-13T06:26:16.829Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/cve-2025-0636"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Arbitrary Code Execution vulnerability in Ericsson RAN Compute and Site Controller",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-0636",
        "datePublished": "2025-10-13T06:26:16.829Z",
        "dateReserved": "2025-01-22T10:46:30.753Z",
        "dateUpdated": "2025-10-14T13:25:42.989Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-40838 (GCVE-0-2025-40838)

    Vulnerability from nvd – Published: 2025-09-25 14:54 – Updated: 2025-09-30 12:15
    VLAI
    Title
    Ericsson Indoor Connect 8855 - Insufficiently Protected Credentials Vulnerability
    Summary
    Ericsson Indoor Connect 8855 contains a vulnerability where server-side security can be bypassed in the client which if exploited can lead to unauthorized disclosure of certain information.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Indoor Connect 8855 Affected: 0 , < 2025.Q2 (Indoor Connect 8855)
    Create a notification for this product.
    Credits
    Telstra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-40838",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-25T15:44:16.433331Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-25T15:48:09.737Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Indoor Connect 8855",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2025.Q2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.Q2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "Indoor Connect 8855"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Telstra"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eEricsson Indoor Connect 8855 contains a vulnerability where server-side security can be bypassed in the client which if exploited can lead to unauthorized disclosure of certain information.\u003c/span\u003e"
                }
              ],
              "value": "Ericsson Indoor Connect 8855 contains a vulnerability where server-side security can be bypassed in the client which if exploited can lead to unauthorized disclosure of certain information."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522 Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-30T12:15:44.492Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/e2025-09-25"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Indoor Connect 8855 - Insufficiently Protected Credentials Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-40838",
        "datePublished": "2025-09-25T14:54:43.229Z",
        "dateReserved": "2025-04-16T08:59:01.744Z",
        "dateUpdated": "2025-09-30T12:15:44.492Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-40837 (GCVE-0-2025-40837)

    Vulnerability from nvd – Published: 2025-09-25 14:52 – Updated: 2025-09-30 12:15
    VLAI
    Title
    Ericsson Indoor Connect 8855 - Missing Authorization Vulnerability
    Summary
    Ericsson Indoor Connect 8855 contains a missing authorization vulnerability which if exploited can allow access to the system as a user with higher privileges than intended.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Indoor Connect 8855 Affected: 0 , < 2025.Q2 (Indoor Connect 8855)
    Create a notification for this product.
    Credits
    Telstra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-40837",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-25T15:44:22.046103Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-25T15:48:15.172Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Indoor Connect 8855",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2025.Q2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.Q2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "Indoor Connect 8855"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Telstra"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eEricsson Indoor Connect 8855 contains a missing authorization vulnerability which if exploited can allow access to the system as a user with higher privileges than intended.\u003c/span\u003e"
                }
              ],
              "value": "Ericsson Indoor Connect 8855 contains a missing authorization vulnerability which if exploited can allow access to the system as a user with higher privileges than intended."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-30T12:15:13.648Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/e2025-09-25"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Indoor Connect 8855 - Missing Authorization Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-40837",
        "datePublished": "2025-09-25T14:52:23.376Z",
        "dateReserved": "2025-04-16T08:59:01.744Z",
        "dateUpdated": "2025-09-30T12:15:13.648Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-40836 (GCVE-0-2025-40836)

    Vulnerability from nvd – Published: 2025-09-25 14:49 – Updated: 2025-09-30 12:14
    VLAI
    Title
    Ericsson Indoor Connect 8855 - Improper Input Validation Vulnerability
    Summary
    Ericsson Indoor Connect 8855 contains an improper input validation vulnerability which if exploited can allow an attacker to execute commands with escalated privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Indoor Connect 8855 Affected: 0 , < 2025.Q2 (Indoor Connect 8855)
    Create a notification for this product.
    Credits
    Telstra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-40836",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-25T15:44:35.263809Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-25T15:48:27.041Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Indoor Connect 8855",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2025.Q2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.Q2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "Indoor Connect 8855"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Telstra"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eEricsson Indoor Connect 8855 contains an improper input validation vulnerability which if exploited can allow an attacker to execute commands with escalated privileges.\u003c/span\u003e"
                }
              ],
              "value": "Ericsson Indoor Connect 8855 contains an improper input validation vulnerability which if exploited can allow an attacker to execute commands with escalated privileges."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-30T12:14:36.904Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/e2025-09-25"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Indoor Connect 8855 - Improper Input Validation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-40836",
        "datePublished": "2025-09-25T14:49:02.613Z",
        "dateReserved": "2025-04-16T08:59:01.744Z",
        "dateUpdated": "2025-09-30T12:14:36.904Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-27262 (GCVE-0-2025-27262)

    Vulnerability from nvd – Published: 2025-09-25 14:43 – Updated: 2025-09-30 12:13
    VLAI
    Title
    Ericsson Indoor Connect 8855 - Improper Neutralization of Special Elements used in an OS Command Vulnerability
    Summary
    Ericsson Indoor Connect 8855 contains a command injection vulnerability which if exploited can result in an escalation of privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Indoor Connect 8855 Affected: 0 , < 2025.Q2 (Indoor Connect 8855)
    Create a notification for this product.
    Credits
    Telstra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27262",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-25T15:18:14.273331Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-25T15:27:05.382Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Indoor Connect 8855",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2025.Q2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.Q2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "Indoor Connect 8855"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Telstra"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eEricsson Indoor Connect 8855 contains a command injection vulnerability which if exploited can result in an escalation of privileges.\u003c/span\u003e"
                }
              ],
              "value": "Ericsson Indoor Connect 8855 contains a command injection vulnerability which if exploited can result in an escalation of privileges."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-30T12:13:16.746Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/e2025-09-25"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Indoor Connect 8855 -  Improper Neutralization of Special Elements used in an OS Command Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-27262",
        "datePublished": "2025-09-25T14:43:29.803Z",
        "dateReserved": "2025-02-21T08:58:20.367Z",
        "dateUpdated": "2025-09-30T12:13:16.746Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-59174 (GCVE-0-2025-59174)

    Vulnerability from cvelistv5 – Published: 2026-06-05 13:44 – Updated: 2026-06-05 20:09
    VLAI
    Summary
    Ericsson Packet Core Controller (PCC) versions prior to 1.39 contain a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-228 - Improper Handling of Syntactically Invalid Structure
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Packet Core Controller Affected: 0 , < 1.39 (custom)
    Create a notification for this product.
    Date Public
    2026-06-02 11:12
    Credits
    The UK Telecoms Lab (UKTL) The UK’s National Cyber Security Centre (NCSC)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59174",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-05T20:09:12.098289Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-05T20:09:18.706Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Packet Core Controller",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.39",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "1.39",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "The UK Telecoms Lab (UKTL)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "The UK\u2019s National Cyber Security Centre (NCSC)"
            }
          ],
          "datePublic": "2026-06-02T11:12:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ericsson Packet Core Controller (PCC) versions prior to 1.39 contain a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation."
                }
              ],
              "value": "Ericsson Packet Core Controller (PCC) versions prior to 1.39 contain a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-228",
                  "description": "CWE-228: Improper Handling of Syntactically Invalid Structure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T13:44:39.149Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://ericsson.com/en/about-us/security/psirt/CVE-2025-59174"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-59174",
        "datePublished": "2026-06-05T13:44:39.149Z",
        "dateReserved": "2025-09-10T13:24:49.360Z",
        "dateUpdated": "2026-06-05T20:09:18.706Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25659 (GCVE-0-2026-25659)

    Vulnerability from cvelistv5 – Published: 2026-06-05 11:08 – Updated: 2026-06-05 20:11
    VLAI
    Title
    Ericsson Packet Core Gateway (PCG) - Improper handling of missing values Vulnerability
    Summary
    Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Missing Values (CWE-230) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-230 - Improper handling of missing values
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Packet Core Gateway (PCG) Affected: 0 , < 1.30 (1.30)
    Create a notification for this product.
    Credits
    Clemens Keil, Manfred Heinz, Patrick Walker of BDO Cyber Security GmbH BSI 5G/6G Security Lab TEMIS (Federal Office for Information Security, Germany)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25659",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-05T20:11:16.225932Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-05T20:11:23.341Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Packet Core Gateway (PCG)",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.30",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "1.30",
                  "status": "affected",
                  "version": "0",
                  "versionType": "1.30"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Clemens Keil, Manfred Heinz, Patrick Walker of BDO Cyber Security GmbH"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "BSI 5G/6G Security Lab TEMIS (Federal Office for Information Security, Germany)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eEricsson\nPacket Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling\nof Missing Values (CWE-230) vulnerability where an attacker continuously\nsending a specially crafted message can cause service degradation.\u0026nbsp;\u003cspan\u003eThe impact continues as long the attack persists but the system recovers from the crashes when the attack stops.\u003c/span\u003e\u003c/p\u003e"
                }
              ],
              "value": "Ericsson\nPacket Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling\nof Missing Values (CWE-230) vulnerability where an attacker continuously\nsending a specially crafted message can cause service degradation.\u00a0The impact continues as long the attack persists but the system recovers from the crashes when the attack stops."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-230",
                  "description": "CWE-230 Improper handling of missing values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T11:08:39.929Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/cve-2026-25659"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Packet Core Gateway (PCG) - Improper handling of missing values Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2026-25659",
        "datePublished": "2026-06-05T11:08:39.929Z",
        "dateReserved": "2026-02-04T12:41:54.869Z",
        "dateUpdated": "2026-06-05T20:11:23.341Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25658 (GCVE-0-2026-25658)

    Vulnerability from cvelistv5 – Published: 2026-06-05 11:06 – Updated: 2026-06-05 20:11
    VLAI
    Title
    Ericsson Packet Core Gateway (PCG) - Improper handling of missing values Vulnerability
    Summary
    Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Missing Values (CWE-230) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-230 - Improper handling of missing values
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Packet Core Gateway (PCG) Affected: 0 , < 1.30 (1.30)
    Create a notification for this product.
    Credits
    Clemens Keil, Manfred Heinz, Patrick Walker of BDO Cyber Security GmbH BSI 5G/6G Security Lab TEMIS (Federal Office for Information Security, Germany)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25658",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-05T20:11:36.044286Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-05T20:11:42.365Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Packet Core Gateway (PCG)",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.30",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "1.30",
                  "status": "affected",
                  "version": "0",
                  "versionType": "1.30"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Clemens Keil, Manfred Heinz, Patrick Walker of BDO Cyber Security GmbH"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "BSI 5G/6G Security Lab TEMIS (Federal Office for Information Security, Germany)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eEricsson\nPacket Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling\nof Missing Values (CWE-230) vulnerability where an attacker continuously\nsending a specially crafted message can cause service degradation.\u0026nbsp;\u003cspan\u003eThe impact continues as long the attack persists but the system recovers from the crashes when the attack stops.\u003c/span\u003e\u003c/p\u003e"
                }
              ],
              "value": "Ericsson\nPacket Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling\nof Missing Values (CWE-230) vulnerability where an attacker continuously\nsending a specially crafted message can cause service degradation.\u00a0The impact continues as long the attack persists but the system recovers from the crashes when the attack stops."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-230",
                  "description": "CWE-230 Improper handling of missing values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T11:06:27.504Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/cve-2026-25658"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Packet Core Gateway (PCG) - Improper handling of missing values Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2026-25658",
        "datePublished": "2026-06-05T11:06:27.504Z",
        "dateReserved": "2026-02-04T12:41:54.869Z",
        "dateUpdated": "2026-06-05T20:11:42.365Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25657 (GCVE-0-2026-25657)

    Vulnerability from cvelistv5 – Published: 2026-06-05 11:03 – Updated: 2026-06-05 20:11
    VLAI
    Title
    Ericsson Packet Core Gateway (PCG) - Improper Handling of Syntactically Invalid Structure Vulnerability
    Summary
    Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Syntactically Invalid Structure (CWE-228) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Packet Core Gateway (PCG) Affected: 0 , < 1.30 (1.30)
    Create a notification for this product.
    Credits
    Clemens Keil, Manfred Heinz, Patrick Walker of BDO Cyber Security GmbH BSI 5G/6G Security Lab TEMIS (Federal Office for Information Security, Germany)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25657",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-05T20:11:51.419993Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-05T20:11:57.051Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Packet Core Gateway (PCG)",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.30",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "1.30",
                  "status": "affected",
                  "version": "0",
                  "versionType": "1.30"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Clemens Keil, Manfred Heinz, Patrick Walker of BDO Cyber Security GmbH"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "BSI 5G/6G Security Lab TEMIS (Federal Office for Information Security, Germany)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eEricsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Syntactically Invalid Structure (CWE-228) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.\u003c/p\u003e"
                }
              ],
              "value": "Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Syntactically Invalid Structure (CWE-228) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-228",
                  "description": "CWE-228",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T11:03:02.273Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/cve-2026-25657"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Packet Core Gateway (PCG) - Improper Handling of Syntactically Invalid Structure Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2026-25657",
        "datePublished": "2026-06-05T11:03:02.273Z",
        "dateReserved": "2026-02-04T12:41:54.869Z",
        "dateUpdated": "2026-06-05T20:11:57.051Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25660 (GCVE-0-2026-25660)

    Vulnerability from cvelistv5 – Published: 2026-04-24 13:10 – Updated: 2026-04-24 13:51 X_Open Source
    VLAI
    Title
    Authentication bypass for certain API calls
    Summary
    CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls.  This bypass allows assigning arbitrary permission to any user existing in CodeChecker. This issue affects CodeChecker: through 6.27.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication bypass by spoofing
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Ericsson CodeChecker Affected: 0 , ≤ 6.27.3 (python)
    Create a notification for this product.
    Credits
    Scott Tolley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25660",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T13:50:59.651031Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T13:51:11.174Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CodeChecker",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "6.27.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "6.27.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Scott Tolley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan\u003eCodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. \u003c/span\u003e\u003cbr\u003e\u003cp\u003eAuthentication bypass occurs when the URL ends with Authentication with certain function calls.\u0026nbsp; This bypass allows assigning arbitrary permission to any user existing in CodeChecker.\u003c/p\u003e\u003cp\u003eThis issue affects CodeChecker: through 6.27.3.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. \nAuthentication bypass occurs when the URL ends with Authentication with certain function calls.\u00a0 This bypass allows assigning arbitrary permission to any user existing in CodeChecker.\n\nThis issue affects CodeChecker: through 6.27.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "USER",
                "Safety": "NEGLIGIBLE",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "PROOF_OF_CONCEPT",
                "privilegesRequired": "NONE",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:N/AU:Y/R:U/V:C/RE:M/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication bypass by spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T13:10:26.171Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-4v9x-cqc5-j645"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "Authentication bypass for certain API calls",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2026-25660",
        "datePublished": "2026-04-24T13:10:26.171Z",
        "dateReserved": "2026-02-04T12:41:54.869Z",
        "dateUpdated": "2026-04-24T13:51:11.174Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-53828 (GCVE-0-2024-53828)

    Vulnerability from cvelistv5 – Published: 2026-04-01 09:49 – Updated: 2026-04-01 12:39
    VLAI
    Title
    Ericsson Packet Core Controller (PCC) - Improper Handling of Syntactically Invalid Structure Vulnerability
    Summary
    Ericsson Packet Core Controller (PCC) versions prior to 1.38 contain a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Packet Core Controller (PCC) Affected: 0 , < 1.38 (1.38)
    Create a notification for this product.
    Credits
    The UK’s National Cyber Security Centre (NCSC) The UK Telecoms Lab (UKTL)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-53828",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-01T12:39:12.844626Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-01T12:39:41.380Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Packet Core Controller (PCC)",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.38",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "1.38",
                  "status": "affected",
                  "version": "0",
                  "versionType": "1.38"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "The UK\u2019s National Cyber Security Centre (NCSC)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "The UK Telecoms Lab (UKTL)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ericsson Packet Core Controller (PCC) versions prior\nto 1.38 contain a vulnerability where an attacker sending a large volume of\nspecially crafted messages may cause service degradation."
                }
              ],
              "value": "Ericsson Packet Core Controller (PCC) versions prior\nto 1.38 contain a vulnerability where an attacker sending a large volume of\nspecially crafted messages may cause service degradation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-228",
                  "description": "CWE-228",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-01T09:49:18.214Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/CVE-2024-53828"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Packet Core Controller (PCC) - Improper Handling of Syntactically Invalid Structure Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2024-53828",
        "datePublished": "2026-04-01T09:49:18.214Z",
        "dateReserved": "2024-11-22T14:21:37.002Z",
        "dateUpdated": "2026-04-01T12:39:41.380Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-40842 (GCVE-0-2025-40842)

    Vulnerability from cvelistv5 – Published: 2026-03-25 13:10 – Updated: 2026-03-25 13:44
    VLAI
    Title
    Ericsson Indoor Connect 8855 - Improper Neutralization of Input During Web Page Generation Vulnerability
    Summary
    Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Scripting (XSS) vulnerability which, if exploited, can lead to unauthorized disclosure and modification of certain information.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Indoor Connect 8855 Affected: 0 , < 2025.Q3 (custom)
    Create a notification for this product.
    Credits
    Telstra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-40842",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-25T13:44:02.789000Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-25T13:44:10.955Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Indoor Connect 8855",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2025.Q3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.Q3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Telstra"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ericsson Indoor Connect 8855 versions prior to 2025.Q3\u0026nbsp;contains a\nCross-Site Scripting (XSS) vulnerability which, if exploited, can lead to\nunauthorized disclosure and modification of certain information.\u0026nbsp;"
                }
              ],
              "value": "Ericsson Indoor Connect 8855 versions prior to 2025.Q3\u00a0contains a\nCross-Site Scripting (XSS) vulnerability which, if exploited, can lead to\nunauthorized disclosure and modification of certain information."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-25T13:15:53.253Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-indoorconnect-march-2026"
            },
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/CVE-2025-40842"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Indoor Connect 8855 - Improper Neutralization of Input During Web Page Generation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-40842",
        "datePublished": "2026-03-25T13:10:44.010Z",
        "dateReserved": "2025-04-16T08:59:01.744Z",
        "dateUpdated": "2026-03-25T13:44:10.955Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-40841 (GCVE-0-2025-40841)

    Vulnerability from cvelistv5 – Published: 2026-03-25 13:07 – Updated: 2026-03-25 13:44
    VLAI
    Title
    Ericsson Indoor Connect 8855 - Cross-Site Request Forgery Vulnerability
    Summary
    Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead to unauthorized modification of certain information.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site request forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Indoor Connect 8855 Affected: 0 , < 2025.Q3 (custom)
    Create a notification for this product.
    Credits
    Telstra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-40841",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-25T13:44:36.014812Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-25T13:44:45.962Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Indoor Connect 8855",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2025.Q3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.Q3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Telstra"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ericsson Indoor Connect 8855 versions prior to 2025.Q3\u0026nbsp;contains a\nCross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead\nto unauthorized modification of certain information.\u0026nbsp;"
                }
              ],
              "value": "Ericsson Indoor Connect 8855 versions prior to 2025.Q3\u00a0contains a\nCross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead\nto unauthorized modification of certain information."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site request forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-25T13:17:23.852Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-indoorconnect-march-2026"
            },
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/CVE-2025-40841"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Indoor Connect 8855 - Cross-Site Request Forgery  Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-40841",
        "datePublished": "2026-03-25T13:07:53.229Z",
        "dateReserved": "2025-04-16T08:59:01.744Z",
        "dateUpdated": "2026-03-25T13:44:45.962Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-27260 (GCVE-0-2025-27260)

    Vulnerability from cvelistv5 – Published: 2026-03-25 12:54 – Updated: 2026-03-25 13:50
    VLAI
    Title
    Ericsson Indoor Connect 8855 - Improper Filtering of Special Elements Vulnerability
    Summary
    Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filtering of Special Elements vulnerability which, if exploited, can lead to unauthorized modification of certain information
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Indoor Connect 8855 Affected: 0 , < 2025.Q3 (custom)
    Create a notification for this product.
    Credits
    Telstra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27260",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-25T13:50:26.371520Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-25T13:50:33.976Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Indoor Connect 8855",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2025.Q3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2025.Q3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Telstra"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ericsson\nIndoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filtering of Special\nElements\u0026nbsp;vulnerability which, if exploited, can lead to unauthorized\nmodification of certain information"
                }
              ],
              "value": "Ericsson\nIndoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filtering of Special\nElements\u00a0vulnerability which, if exploited, can lead to unauthorized\nmodification of certain information"
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-790",
                  "description": "CWE-790",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-25T13:18:23.060Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-indoorconnect-march-2026"
            },
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/CVE-2025-27260"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Indoor Connect 8855 - Improper Filtering of Special Elements Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-27260",
        "datePublished": "2026-03-25T12:54:46.406Z",
        "dateReserved": "2025-02-21T08:58:20.367Z",
        "dateUpdated": "2026-03-25T13:50:33.976Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-40843 (GCVE-0-2025-40843)

    Vulnerability from cvelistv5 – Published: 2025-10-28 18:49 – Updated: 2025-10-28 19:30 X_Open Source
    VLAI
    Title
    Buffer overflow in CodeChecker log command
    Summary
    CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. CodeChecker versions up to 6.26.1 contain a buffer overflow vulnerability in the internal ldlogger library, which is executed by the CodeChecker log command. This issue affects CodeChecker: through 6.26.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack based buffer overflow
    Assigner
    References
    Impacted products
    Vendor Product Version
    Ericsson CodeChecker Affected: 0 , ≤ 6.26.1 (python)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-40843",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-28T19:30:15.826239Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-28T19:30:25.737Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "CodeChecker",
              "vendor": "Ericsson",
              "versions": [
                {
                  "lessThanOrEqual": "6.26.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. \u003c/span\u003e\u003cbr\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eCodeChecker versions up to 6.26.1 contain a buffer overflow vulnerability in the internal \u003ccode\u003eldlogger\u003c/code\u003e\u0026nbsp;library, which is executed by the \u003ccode\u003eCodeChecker log\u003c/code\u003e\u0026nbsp;command.\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects CodeChecker: through 6.26.1.\u003c/p\u003e"
                }
              ],
              "value": "CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. \n\n\n\n\nCodeChecker versions up to 6.26.1 contain a buffer overflow vulnerability in the internal ldlogger\u00a0library, which is executed by the CodeChecker log\u00a0command.\n\n\n\n\n\nThis issue affects CodeChecker: through 6.26.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-28T18:49:49.516Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-5xf2-f6ch-6p8r"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "Buffer overflow in CodeChecker log command",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-40843",
        "datePublished": "2025-10-28T18:49:49.516Z",
        "dateReserved": "2025-04-16T08:59:01.744Z",
        "dateUpdated": "2025-10-28T19:30:25.737Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-0636 (GCVE-0-2025-0636)

    Vulnerability from cvelistv5 – Published: 2025-10-13 06:26 – Updated: 2025-10-14 13:25
    VLAI
    Title
    Arbitrary Code Execution vulnerability in Ericsson RAN Compute and Site Controller
    Summary
    EMCLI contains a high severity vulnerability where improper neutralization of special elements used in an OS command could be exploited leading to Arbitrary Code Execution.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Date Public
    2025-10-10 06:50
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0636",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-14T13:25:34.279595Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-14T13:25:42.989Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Site Controller 6610",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "S24.Q2, S24.Q3.1 S24.Q4 S25.Q1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "S24.Q2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "RAN Compute (all BB versions)",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.Q1.C5 24.Q2 24.Q3 24.Q4 25.Q1 RCG123.1 RCG123.2 RCG123.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "24.Q1.C5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2025-10-10T06:50:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eEMCLI contains a high severity vulnerability where improper neutralization of special elements used in an OS command could be exploited leading to Arbitrary Code Execution. \u0026nbsp; \u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "EMCLI contains a high severity vulnerability where improper neutralization of special elements used in an OS command could be exploited leading to Arbitrary Code Execution."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-13T06:26:16.829Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/cve-2025-0636"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Arbitrary Code Execution vulnerability in Ericsson RAN Compute and Site Controller",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-0636",
        "datePublished": "2025-10-13T06:26:16.829Z",
        "dateReserved": "2025-01-22T10:46:30.753Z",
        "dateUpdated": "2025-10-14T13:25:42.989Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-27258 (GCVE-0-2025-27258)

    Vulnerability from cvelistv5 – Published: 2025-10-13 06:25 – Updated: 2025-10-14 15:29
    VLAI
    Title
    Ericsson Network Manager: escalation of privilege vulnerability
    Summary
    Ericsson Network Manager (ENM) versions prior to ENM 25.1 GA contain a vulnerability, if exploited, can result in an escalation of privilege.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Ericsson Network Manager(ENM) Affected: 0 , < 25.1 (custom)
    Create a notification for this product.
    Date Public
    2025-10-10 07:31
    Credits
    Ericsson would like to thank the following personnel from TIM Security Red Team Research for reporting these issues to us: Andrea Carlo Maria Dattola, Cristina Coppola, Carlo Pannullo, Massimiliano Brolli
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27258",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-14T15:29:36.817155Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-14T15:29:59.253Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Ericsson Network Manager(ENM)",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "Version 25.1 or later",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "25.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ericsson would like to thank the following personnel from TIM Security Red Team Research for reporting these issues to us: Andrea Carlo Maria Dattola, Cristina Coppola, Carlo Pannullo, Massimiliano Brolli"
            }
          ],
          "datePublic": "2025-10-10T07:31:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;Ericsson Network Manager (ENM) versions prior to ENM 25.1 GA contain a vulnerability, if exploited, can result in an escalation of privilege.\u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "Ericsson Network Manager (ENM) versions prior to ENM 25.1 GA contain a vulnerability, if exploited, can result in an escalation of privilege."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-13T06:25:32.326Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-enm-october-2025"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Network Manager: escalation of privilege vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-27258",
        "datePublished": "2025-10-13T06:25:32.326Z",
        "dateReserved": "2025-02-21T08:58:20.366Z",
        "dateUpdated": "2025-10-14T15:29:59.253Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-27259 (GCVE-0-2025-27259)

    Vulnerability from cvelistv5 – Published: 2025-10-13 06:16 – Updated: 2025-10-14 16:06
    VLAI
    Title
    Ericsson Network Manager: improper neutralization of user controlled input
    Summary
    Ericsson Network Manager versions prior to ENM 25.2 GA contain a vulnerability that, if exploited, can exfiltrate limited data or redirect victims to other sites or domains.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Ericsson Ericsson Network Manager(ENM) Affected: 0 , < all versions prior to 25.2 (custom)
    Create a notification for this product.
    Date Public
    2025-10-10 07:31
    Credits
    Ericsson would like to thank the following personnel from TIM Security Red Team Research for reporting these issues to us: Andrea Carlo Maria Dattola, Cristina Coppola, Carlo Pannullo, Massimiliano Brolli
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27259",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-14T16:01:04.095742Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-14T16:06:38.469Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Ericsson Network Manager(ENM)",
              "vendor": "Ericsson",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "Version 25.2 or later",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "all versions prior to 25.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ericsson would like to thank the following personnel from TIM Security Red Team Research for reporting these issues to us: Andrea Carlo Maria Dattola, Cristina Coppola, Carlo Pannullo, Massimiliano Brolli"
            }
          ],
          "datePublic": "2025-10-10T07:31:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eEricsson Network Manager versions prior to ENM 25.2 GA contain a vulnerability that, if exploited, can exfiltrate limited data or redirect victims to other sites or domains. \u0026nbsp;\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "Ericsson Network Manager versions prior to ENM 25.2 GA contain a vulnerability that, if exploited, can exfiltrate limited data or redirect victims to other sites or domains."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-13T06:16:37.104Z",
            "orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
            "shortName": "ERIC"
          },
          "references": [
            {
              "url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-enm-october-2025"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ericsson Network Manager: improper neutralization of user controlled input",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
        "assignerShortName": "ERIC",
        "cveId": "CVE-2025-27259",
        "datePublished": "2025-10-13T06:16:37.104Z",
        "dateReserved": "2025-02-21T08:58:20.367Z",
        "dateUpdated": "2025-10-14T16:06:38.469Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }