CVE-2025-55052 is a medium-severity vulnerability classified under CWE-200, which involves the exposure of sensitive information to unauthorized actors. This vulnerability affects multiple Baicells products, including NEUTRINO430, NOVA436Q, NOVA430e/430i, NOVA846, NOVA246, NOVA243, NOVA233, and NOVA227, specifically in versions running BaiBS_RTS_3.. and older and BaiBS_RTD_3.. and older firmware. The vulnerability allows an attacker with network access and low privileges (PR:L) to remotely access sensitive information without requiring user interaction (UI:N). The CVSS 3.1 base score is 4.3, indicating a medium impact primarily on confidentiality (C:L), with no impact on integrity or availability. The attack vector is network-based (AV:N), and the scope remains unchanged (S:U). Although no known exploits are currently in the wild and no patches have been published yet, the exposure of sensitive data could facilitate further attacks or unauthorized surveillance. The affected devices are typically used in wireless broadband infrastructure, often deployed by telecom operators and ISPs to provide LTE or 5G services. Sensitive information exposure could include configuration details, credentials, or network parameters that could be leveraged to compromise network security or privacy.

For European organizations, especially telecom operators, ISPs, and enterprises relying on Baicells equipment for wireless broadband connectivity, this vulnerability poses a risk of unauthorized disclosure of sensitive network information. Such exposure could lead to targeted attacks, including unauthorized network access, interception of communications, or preparation for more severe attacks. Given the critical role of these devices in providing connectivity, any compromise could affect service confidentiality and customer privacy. While the vulnerability does not directly impact system integrity or availability, the leakage of sensitive information could undermine trust and regulatory compliance, particularly under GDPR, which mandates protection of personal and network data. The medium severity suggests a moderate risk, but the lack of patches and the network-exploitable nature mean that organizations should prioritize mitigation to prevent potential escalation or exploitation.

Organizations should immediately inventory Baicells devices in their networks to identify affected versions. Until patches are available, network segmentation should be enforced to restrict access to management interfaces and sensitive device endpoints, limiting exposure to trusted internal networks only. Implement strict access controls and monitoring on network segments hosting these devices to detect anomalous access attempts. Use VPNs or encrypted tunnels for remote management to prevent interception. Regularly audit device configurations to ensure no unnecessary services or ports are exposed. Engage with Baicells support to obtain timelines for patches or firmware updates and apply them promptly once released. Additionally, consider deploying intrusion detection systems (IDS) tuned to detect reconnaissance or data exfiltration attempts targeting these devices. Finally, update incident response plans to include scenarios involving sensitive information exposure from network infrastructure equipment.