CVE-2025-9974 is a command injection vulnerability identified in the unified WEBUI application of Nokia ONT/Beacon devices. The root cause is insufficient validation of user-supplied input, which allows authenticated users with low privileges to execute arbitrary system-level commands on the underlying operating system. This vulnerability falls under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The flaw enables attackers to escalate their privileges indirectly by executing commands that can alter device configuration, extract sensitive data, or disrupt device operations. The attack vector requires network access with authentication but no user interaction, making it feasible for insiders or compromised accounts. The affected versions include all Nokia ONT releases prior to BBDR2503. The vulnerability has a CVSS 3.1 base score of 8.0, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and privileges required. Although no public exploits are known yet, the potential for impactful misuse is significant given the device’s role in network access and broadband termination. The vulnerability’s presence in a widely deployed telecom device underscores the importance of timely remediation and monitoring.

For European organizations, particularly telecom operators and ISPs using Nokia ONT devices, this vulnerability poses a serious risk. Exploitation could lead to unauthorized command execution, allowing attackers to manipulate device configurations, intercept or alter data traffic, or cause denial of service by disrupting device functionality. This can compromise subscriber privacy, degrade network reliability, and potentially enable lateral movement within the network. Given the critical role of ONT devices in broadband access networks, successful exploitation could impact large numbers of end users and critical infrastructure services. The confidentiality of subscriber data and the integrity of network operations are at risk, which may also lead to regulatory and compliance issues under GDPR and other European data protection laws. The availability impact could disrupt broadband services, affecting business continuity and public communications. The vulnerability’s requirement for authentication limits exposure but does not eliminate risk, especially in environments with weak credential management or insider threats.

1. Apply the vendor patch or upgrade to Nokia ONT firmware version BBDR2503 or later as soon as it becomes available. 2. Restrict access to the WEBUI interface to trusted management networks only, using network segmentation and access control lists (ACLs). 3. Enforce strong authentication mechanisms and regularly audit user accounts with access to the WEBUI to prevent unauthorized access. 4. Implement monitoring and alerting for unusual command execution or configuration changes on ONT devices. 5. Use multi-factor authentication (MFA) where supported to reduce the risk of credential compromise. 6. Conduct regular vulnerability scans and penetration tests focusing on management interfaces of network devices. 7. Educate network administrators about the risks of command injection and the importance of input validation and secure configuration. 8. Maintain an incident response plan that includes procedures for compromised network devices.