Cyber Posture

CVE-2021-35485

High

Published: 03 March 2026

Published
03 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 19.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-35485 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Nokia Impact. Its CVSS base score is 8.0 (High).

Operationally, ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the specific flaw in Nokia IMPACT's Applications component that allows unrestricted upload of server-side executable files.

SI-10 Information Input Validation good match
prevent

Enforces validation of files uploaded via the /ui/rest-proxy/application fileupload parameter to block dangerous executable types.

SI-3 Malicious Code Protection good match
preventdetect

Deploys malicious code protection to scan and block uploaded server-side executables from execution.

NVD Description

The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload server-side executable files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an…

more

existing one.

Deeper analysisAI

CVE-2021-35485 is a vulnerability in the Applications component of Nokia IMPACT versions through 19.11.2.10-20210118042150283. It enables an authenticated user to arbitrarily upload server-side executable files via the /ui/rest-proxy/application fileupload parameter. This upload can occur during the addition of a new application or the editing of an existing one, corresponding to CWE-434 (Unrestricted Upload of File with Dangerous Type).

The vulnerability has a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation requires adjacent network access, low attack complexity, low privileges, and no user interaction. An authenticated attacker can leverage this to upload and potentially execute arbitrary server-side files, resulting in high impacts to confidentiality, integrity, and availability, such as full server compromise.

Advisories and mitigation guidance are detailed in the Gruppo TIM Red Team report at https://www.gruppotim.it/it/footer/red-team/2021/Motive-Impact-CVE-2021-35485.html, the Nokia IMPACT IoT platform page at https://www.nokia.com/networks/solutions/impact-iot-platform/, and Nokia's responsible disclosure notice at https://www.nokia.com/notices/responsible-disclosure/. The CVE was published on 2026-03-03T18:16:20.910.

Details

CWE(s)
CWE-434

Affected Products

nokia
impact
≤ 19.11.2.10-20210118042150283

CVEs Like This One

CVE-2021-35484Same product: Nokia Impact
CVE-2021-35486Same vendor: Nokia
CVE-2025-24818Same vendor: Nokia
CVE-2023-31044Same vendor: Nokia
CVE-2025-24817Same vendor: Nokia
CVE-2025-27020Same vendor: Nokia
CVE-2020-36942Shared CWE-434
CVE-2025-34299Shared CWE-434
CVE-2025-26411Shared CWE-434
CVE-2024-57169Shared CWE-434

References