A crucial authentication bypass vulnerability has emerged in Nokia’s CloudBand Infrastructure Software program (CBIS) and Nokia Container Service (NCS) Supervisor API, designated as CVE-2023-49564.
This high-severity flaw, scoring 9.6 on the CVSS v3.1 scale, allows unauthorized attackers to bypass authentication mechanisms via specifically crafted HTTP headers, doubtlessly granting full entry to restricted API endpoints with out legitimate credentials.
The vulnerability impacts CBIS 22 and NCS 22.12 variations, impacting enterprises, service suppliers, and public sector organizations using Nokia’s cloud and community infrastructure options.
The flaw was publicly disclosed on September 18, 2025, following discovery by Orange Cert researchers who recognized the safety hole throughout routine safety assessments.
Nokia safety researchers recognized the foundation trigger as a weak verification mechanism embedded inside the authentication implementation of the Nginx Podman container operating on the CBIS/NCS Supervisor host machine.
This architectural weak point permits risk actors to govern HTTP header fields to trick the authentication system into believing a request is legit.
The exploitation vector requires adjoining community entry (CVSS AV:A), making it significantly regarding for enterprise environments the place attackers may have already got gained preliminary community foothold.
As soon as exploited, the vulnerability supplies full compromise capabilities with excessive confidentiality, integrity, and availability impression, permitting attackers to entry delicate configuration information, modify system settings, and doubtlessly disrupt community operations.
Technical Assault Mechanism
The authentication bypass operates via header manipulation focusing on the Nginx container’s verification logic.
When processing API requests, the system fails to correctly validate authentication tokens embedded in HTTP headers, creating a chance for crafted requests to bypass safety controls.
The vulnerability permits unauthenticated customers to succeed in delicate endpoints that ought to require administrative privileges.
Vulnerability DetailsInformationCVE IDCVE-2023-49564CVSS Score9.6 (Essential)Assault VectorAdjacent NetworkAffected ProductsCBIS 22, NCS 22.12Fix VersionsCBIS 22 FP1 MP1.2, NCS 22.12 MP3
Organizations can partially mitigate dangers by implementing exterior firewall restrictions on administration community entry whereas making use of the patches offered in CBIS 22 FP1 MP1.2 and NCS 22.12 MP3 variations.
Discover this Story Attention-grabbing! Comply with us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates.
