Cyber Resilience

CVE-2023-31044

Low

Published: 03 March 2026

Published
03 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v3.1 2.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
EPSS Score 0.0024 14.5th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2023-31044 is a low-severity Code Injection (CWE-94) vulnerability in Nokia Impact Mobile. Its CVSS base score is 2.0 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-31044 is a code injection vulnerability (CWE-94) discovered in Nokia Impact versions before Mobile 23_FP1, specifically affecting Impact DM 19.11 and later. A remote authenticated user can exploit the Add Campaign functionality by injecting a malicious payload into the Campaign Name field. This payload persists in data exported to a CSV file, with a CVSS v3.1 base score of 2.0 (AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N), indicating low severity due to high attack complexity, required privileges, and user interaction.

Exploitation requires a remote authenticated user with high privileges (PR:H) to create a campaign with the injected payload. When an authorized user exports campaigns to CSV and opens the file in spreadsheet software, the payload in the populated data fields may trigger automatic execution, potentially leading to low-impact confidentiality breaches such as data exfiltration or other malicious activities.

Mitigation details are outlined in advisories available at https://nokia.com and https://www.gruppotim.it/it/footer/red-team/2023/Motive-Impact-CVE-2023-31044.html. Affected systems should be upgraded to Nokia Impact Mobile 23_FP1 or later to address the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in Nokia Impact before Mobile 23_FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. This data can be exported to a…

more

CSV file. Attackers can populate data fields that may attempt data exfiltration or other malicious activity when automatically executed by the spreadsheet software.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Direct code injection into web app field (T1190) that persists into exported CSV, enabling execution on victim open of malicious file (T1204.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2021-35486Same product: Nokia Impact Mobile
CVE-2025-41717Shared CWE-94
CVE-2025-24818Same vendor: Nokia
CVE-2025-24817Same vendor: Nokia
CVE-2021-35484Same vendor: Nokia
CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94

Affected Assets

nokia
impact mobile
19.11 — 23

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation on the Campaign Name input field to reject malicious payloads before they are stored and later exported.

prevent

Requires timely application of the vendor patch (Impact Mobile 23_FP1) that eliminates the injection flaw in the Add Campaign function.

prevent

Filters or sanitizes campaign data on CSV export so that spreadsheet formulas or payloads cannot be automatically executed by the receiving application.

References