Cyber Resilience

CVE-2023-49564

High

Published: 18 September 2025

Published
18 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 36.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-49564 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Nokia (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2023-49564 is an authentication bypass vulnerability in the CBIS/NCS Manager API, stemming from a weak verification mechanism in the authentication implementation within the Nginx Podman container on the CBIS/NCS Manager host machine. An unauthenticated user can send a specially crafted HTTP header to gain unauthorized access to API functions, including restricted or sensitive endpoints of the HTTP API, without providing valid credentials. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel).

Attackers on an adjacent network (AV:A) with low attack complexity (AC:L) and no privileges (PR:N) can exploit this flaw without user interaction (UI:N). Successful exploitation grants high-impact access to confidential data, modification of system integrity, and potential disruption of availability across the affected API endpoints in an unscoped manner (S:U).

The Nokia product security advisory recommends partially mitigating the risk by restricting access to the management network using external firewalls, as detailed at https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/CVE-2023-49564/.

EU & UK References

Vulnerability details

The CBIS/NCS Manager API is vulnerable to an authentication bypass. By sending a specially crafted HTTP header, an unauthenticated user can gain unauthorized access to API functions. This flaw allows attackers to reach restricted or sensitive endpoints of the HTTP…

more

API without providing any valid credentials. The root cause of this vulnerability lies in a weak verification mechanism within the authentication implementation present in the Nginx Podman container on the CBIS/NCS Manager host machine. The risk can be partially mitigated by restricting access to the management network using external firewall.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in exposed management API directly enables exploitation of the application for unauthorized access and initial foothold.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-10294Shared CWE-288
CVE-2026-3461Shared CWE-288
CVE-2025-67070Shared CWE-288
CVE-2026-42760Shared CWE-288
CVE-2026-44575Shared CWE-288
CVE-2026-1779Shared CWE-288
CVE-2025-0316Shared CWE-288
CVE-2026-45109Shared CWE-288
CVE-2025-5397Shared CWE-288
CVE-2026-31271Shared CWE-288

Affected Assets

Nokia
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly addressing the authentication bypass that allowed unauthorized access to restricted API endpoints.

prevent

Monitors and controls communications at external interfaces, enabling network restrictions like firewalls to block adjacent network access to the vulnerable management API as recommended in the advisory.

prevent

Manages authenticators with proper verification processes to mitigate weak authentication verification mechanisms in the Nginx Podman container implementation.

References