CVE-2025-55052 is a medium-severity vulnerability classified under CWE-200, which involves the exposure of sensitive information to unauthorized actors. This vulnerability affects multiple Baicells products, specifically the NEUTRINO430, NOVA436Q, NOVA430e/430i, NOVA846, NOVA246, NOVA243, NOVA233, and NOVA227 models. The affected firmware versions include BaiBS_RTS_3.. and older, as well as BaiBS_RTD_3.. and older versions. The vulnerability allows an attacker with low complexity and requiring low privileges (PR:L) but no user interaction (UI:N) to remotely access sensitive information over the network (AV:N). The CVSS v3.1 base score is 4.3, indicating a medium severity level. The impact is limited to confidentiality (C:L), with no impact on integrity or availability. The vulnerability does not require user interaction and does not escalate privileges but does require some level of privilege, suggesting that an attacker might need to have some authenticated access or be on a trusted network segment to exploit it. The lack of known exploits in the wild and absence of published patches as of the date indicates that the vulnerability might be newly disclosed and not yet actively exploited. The technical details do not specify the exact nature of the sensitive information exposed, but given the product types—wireless broadband access equipment—this could include configuration data, network credentials, or operational parameters that could aid further attacks or reconnaissance. The exposure of such information could facilitate subsequent attacks or unauthorized network access if leveraged properly.

For European organizations, especially those utilizing Baicells NEUTRINO and NOVA series equipment for wireless broadband or private LTE/5G networks, this vulnerability poses a risk of sensitive information leakage. Such exposure could lead to unauthorized disclosure of network configuration, credentials, or operational data, potentially enabling attackers to map network topology, identify weaknesses, or prepare for more severe attacks such as network intrusion or service disruption. Organizations in sectors relying on private wireless networks—such as utilities, transportation, manufacturing, and critical infrastructure—may be particularly impacted. The confidentiality breach could undermine trust in network security and compliance with data protection regulations like GDPR if personal or sensitive data is indirectly exposed. Although the vulnerability does not directly affect integrity or availability, the information disclosure could be a stepping stone for more damaging attacks. The requirement for some privilege to exploit the vulnerability limits the risk to insider threats or attackers who have gained limited access, but the network exposure vector means that attackers who compromise a less secure segment could leverage this vulnerability to escalate their knowledge and foothold.

1. Immediate firmware upgrade: Organizations should monitor Baicells' official channels for patches or firmware updates addressing CVE-2025-55052 and apply them promptly once available. 2. Network segmentation: Restrict access to management interfaces of affected Baicells devices to trusted network segments and limit exposure to the internet or untrusted networks. 3. Access control hardening: Enforce strict authentication and authorization policies to minimize the number of users with privileges sufficient to exploit this vulnerability. 4. Monitor and audit: Implement continuous monitoring and logging of access to Baicells devices to detect unusual or unauthorized access attempts. 5. Use VPN or secure tunnels: Where remote management is necessary, ensure connections are secured via VPNs or encrypted tunnels to reduce the risk of interception or unauthorized access. 6. Incident response readiness: Prepare to investigate and respond to potential information disclosure incidents, including verifying device configurations and reviewing logs for signs of exploitation. 7. Vendor engagement: Engage with Baicells support to obtain guidance, timeline for patches, and best practices specific to these devices. 8. Limit privilege exposure: Review and minimize privileges assigned to users and services interacting with these devices to reduce the attack surface.