Cyber Resilience

CVE-2021-35484

High

Published: 03 March 2026

Published
03 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0024 14.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2021-35484 is a high-severity SQL Injection (CWE-89) vulnerability in Nokia Impact. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-35484 is a Time-based Boolean Blind SQL Injection vulnerability (CWE-89) affecting Nokia IMPACT through version 19.11.2.10-20210118042150283. The issue resides in the /ui/rest-proxy/campaign/statistic endpoint, used for the View Campaign page, where the sortColumn HTTP GET parameter fails to properly sanitize input, enabling SQL injection attacks. The vulnerability has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), highlighting high confidentiality impact with network accessibility and low attack complexity.

An authenticated user can exploit this vulnerability remotely by crafting malicious sortColumn parameter values to conduct time-based blind SQL injection. Successful exploitation allows extraction of sensitive data from the database, including the database user credentials, database name, and database version information.

Advisories and additional details are available from Gruppo TIM at https://www.gruppotim.it/it/footer/red-team/2021/Motive-Impact-CVE-2021-35484.html, Nokia's IMPACT IoT platform page at https://www.nokia.com/networks/solutions/impact-iot-platform/, and Nokia's responsible disclosure notice at https://www.nokia.com/notices/responsible-disclosure/. Practitioners should consult these for patch information and mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Nokia IMPACT through 19.11.2.10-20210118042150283 allows an authenticated user to perform a Time-based Boolean Blind SQL Injection attack on the endpoint /ui/rest-proxy/campaign/statistic (for the View Campaign page) via the sortColumn HTTP GET parameter. This allows an attacker to access sensitive data…

more

from the database and obtain access to the database user, database name, and database version information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public web endpoint directly enables remote exploitation of the application (T1190) and extraction of data from backend databases (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2021-35485Same product: Nokia Impact
CVE-2018-25199Shared CWE-89
CVE-2026-27179Shared CWE-89
CVE-2025-0308Shared CWE-89
CVE-2019-25581Shared CWE-89
CVE-2026-27885Shared CWE-89
CVE-2019-25479Shared CWE-89
CVE-2026-1476Shared CWE-89
CVE-2019-25526Shared CWE-89
CVE-2025-69365Shared CWE-89

Affected Assets

nokia
impact
≤ 19.11.2.10-20210118042150283

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of HTTP GET parameters like sortColumn to block time-based blind SQL injection and prevent extraction of sensitive database information.

prevent

SI-9 enforces restrictions and sanitization on inputs such as the sortColumn parameter, directly mitigating SQL injection vulnerabilities in the /ui/rest-proxy/campaign/statistic endpoint.

prevent

SI-2 requires timely remediation of identified flaws like CVE-2021-35484 through patching or code fixes to eliminate the SQL injection vulnerability.

References