CVE-2023-49564
Published: 18 September 2025
Summary
CVE-2023-49564 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Nokia (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2023-49564 is an authentication bypass vulnerability in the CBIS/NCS Manager API, stemming from a weak verification mechanism in the authentication implementation within the Nginx Podman container on the CBIS/NCS Manager host machine. An unauthenticated user can send a specially crafted HTTP header to gain unauthorized access to API functions, including restricted or sensitive endpoints of the HTTP API, without providing valid credentials. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel).
Attackers on an adjacent network (AV:A) with low attack complexity (AC:L) and no privileges (PR:N) can exploit this flaw without user interaction (UI:N). Successful exploitation grants high-impact access to confidential data, modification of system integrity, and potential disruption of availability across the affected API endpoints in an unscoped manner (S:U).
The Nokia product security advisory recommends partially mitigating the risk by restricting access to the management network using external firewalls, as detailed at https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/CVE-2023-49564/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-53520
Vulnerability details
The CBIS/NCS Manager API is vulnerable to an authentication bypass. By sending a specially crafted HTTP header, an unauthenticated user can gain unauthorized access to API functions. This flaw allows attackers to reach restricted or sensitive endpoints of the HTTP…
more
API without providing any valid credentials. The root cause of this vulnerability lies in a weak verification mechanism within the authentication implementation present in the Nginx Podman container on the CBIS/NCS Manager host machine. The risk can be partially mitigated by restricting access to the management network using external firewall.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in exposed management API directly enables exploitation of the application for unauthorized access and initial foothold.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly addressing the authentication bypass that allowed unauthorized access to restricted API endpoints.
Monitors and controls communications at external interfaces, enabling network restrictions like firewalls to block adjacent network access to the vulnerable management API as recommended in the advisory.
Manages authenticators with proper verification processes to mitigate weak authentication verification mechanisms in the Nginx Podman container implementation.