CVE-2025-24331 is a privilege escalation vulnerability found in Nokia's Single RAN baseband OAM (Operations, Administration, and Maintenance) service. The OAM service is designed to run as an unprivileged process to limit its access and reduce security risks. However, during its startup sequence, it initially runs with root privileges and assigns certain Linux capabilities before dropping to a lower privilege level. The problem arises because the capabilities retained after the privilege drop remain extensive and allow the service to perform actions beyond its intended scope. Specifically, these capabilities could enable an attacker who gains control of the OAM service to escalate privileges to root, access and modify root-owned files, and then restore their ownership to root, effectively bypassing intended security boundaries. This vulnerability affects all Nokia Single RAN releases prior to version 24R1-SR 0.2 MP, where the issue has been addressed by restricting the OAM service capabilities to the minimum necessary. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability stems from improper capability management during privilege dropping, a common security pitfall in service design that can lead to unauthorized root access if exploited.

For European organizations, especially telecom operators and infrastructure providers using Nokia Single RAN equipment, this vulnerability poses a significant risk. Exploitation could allow attackers to gain root-level control over baseband equipment, which is critical for managing radio access networks. This could lead to unauthorized configuration changes, interception or disruption of mobile communications, and potential service outages affecting large user bases. Confidentiality of subscriber data and integrity of network operations could be compromised. Given the critical role of Single RAN in mobile network infrastructure, successful exploitation could impact availability and trust in telecom services. The risk is heightened in environments where network management interfaces are exposed or insufficiently segmented. Although no exploits are known in the wild, the potential impact on national communications infrastructure and critical services makes this a high-priority issue for European telecom operators.

Organizations should immediately verify the Nokia Single RAN software version in use and plan to upgrade to version 24R1-SR 0.2 MP or later, where the vulnerability is fixed by minimizing the capabilities retained after privilege dropping. Until the upgrade is applied, network administrators should restrict access to the OAM service interfaces through network segmentation, firewall rules, and strict access controls to limit exposure to potentially malicious actors. Monitoring and logging of OAM service activities should be enhanced to detect unusual behavior indicative of exploitation attempts. Additionally, applying host-based security controls such as SELinux or AppArmor profiles tailored to the OAM service can help enforce least privilege and contain potential misuse. Regular audits of capability assignments and privilege dropping mechanisms in network management software are recommended to prevent similar issues. Finally, coordinate with Nokia support for any interim patches or recommended configuration changes.