CVE-2021-35486

High

Published: 03 March 2026

Published

03 March 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0003 7.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-35486 is a high-severity CSRF (CWE-352) vulnerability in Nokia Impact Mobile. Its CVSS base score is 8.1 (High).

Operationally, ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

Requires mechanisms to protect session authenticity such as CSRF token validation via nonces or cookies, directly mitigating the lack of validation in the vulnerable endpoint.

SI-10 Information Input Validation good match

prevent

Mandates validation of information inputs like the X-CSRF-NONCE header or cookie at the /ui/rest-proxy/entity/import endpoint to block forged configuration import requests.

AC-3 Access Enforcement partial match

prevent

Enforces approved authorizations for access to sensitive functions like configuration import, which can incorporate request authenticity checks to prevent CSRF exploitation.

NVD Description

A Cross-Site Request Forgery (CSRF) vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifically, in /ui/rest-proxy/entity/import, neither the X-CSRF-NONCE HTTP header nor the CSRF-NONCE cookie is validated.

Deeper analysisAI

CVE-2021-35486 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting Nokia IMPACT through version 19.11.2.10-20210118042150283. The flaw exists in the /ui/rest-proxy/entity/import endpoint, where neither the X-CSRF-NONCE HTTP header nor the CSRF-NONCE cookie is validated, enabling a remote attacker to import and overwrite the entire application configuration.

A remote attacker with no required privileges (PR:N) can exploit this vulnerability by tricking an authenticated user (UI:R) into interacting with a malicious webpage, such as via a crafted link. Successful exploitation allows the attacker to fully overwrite the application's configuration, resulting in high confidentiality and integrity impacts (C:H/I:H) with no availability impact (A:N), as reflected in the CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).

Advisories and mitigation guidance are provided in references including the Gruppo TIM Red Team disclosure at https://www.gruppotim.it/it/footer/red-team/2021/Motive-Impact-CVE-2021-35486.html, Nokia's IMPACT IoT platform page at https://www.nokia.com/networks/solutions/impact-iot-platform/, and Nokia's responsible disclosure notice at https://www.nokia.com/notices/responsible-disclosure/.