Cyber Resilience

CVE-2023-49565

High

Published: 18 September 2025

Published
18 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0020 42.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-49565 is a high-severity Command Injection (CWE-77) vulnerability in Nokia (inferred from references). Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2023-49565 is a remote command execution vulnerability in the cbis_manager Podman container, specifically affecting the /api/plugins endpoint. The issue stems from improper sanitization of the HTTP headers X-FILENAME, X-PAGE, and X-FIELD, which are passed directly to the subprocess.Popen Python function without validation. This allows command injection, enabling attackers to execute arbitrary commands on the underlying system through crafted header values in an HTTP request. The web service runs with root privileges in the container, granting executed commands elevated access.

An attacker with adjacent network access (AV:A) and high privileges (PR:H) can exploit this with low complexity (AC:L) by sending a malicious HTTP request to the vulnerable endpoint. Successful exploitation leads to remote code execution with root privileges within the container environment, resulting in high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) across a changed scope (S:C). The vulnerability carries a CVSS v3.1 base score of 8.4 and is associated with CWE-77 (Command Injection).

Nokia's product security advisory for CVE-2023-49565 recommends restricting access to the management network using an external firewall as a partial mitigation. No patches or additional remediation details are specified in the available information.

EU & UK References

Vulnerability details

The cbis_manager Podman container is vulnerable to remote command execution via the /api/plugins endpoint. Improper sanitization of the HTTP Headers X-FILENAME, X-PAGE, and X-FIELD allows for command injection. These headers are directly utilized within the subprocess.Popen Python function without adequate…

more

validation, enabling a remote attacker to execute arbitrary commands on the underlying system by crafting malicious header values within an HTTP request to the affected endpoint. The web service executes with root privileges within the container environment, the demonstrated remote code execution permits an attacker to acquire elevated privileges for the command execution. Restricting access to the management network with an external firewall can partially mitigate this risk.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Direct RCE via command injection in public web endpoint (/api/plugins) using unsanitized headers to Python Popen, enabling arbitrary command execution as root.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-41265Shared CWE-77
CVE-2025-34267Shared CWE-77
CVE-2024-34166Shared CWE-77
CVE-2026-30461Shared CWE-77
CVE-2025-64093Shared CWE-77
CVE-2024-54660Shared CWE-77
CVE-2026-26015Shared CWE-77
CVE-2026-26093Shared CWE-77
CVE-2026-30352Shared CWE-77
CVE-2025-55637Shared CWE-77

Affected Assets

Nokia
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation and sanitization of untrusted HTTP headers like X-FILENAME, X-PAGE, and X-FIELD to prevent command injection via subprocess.Popen.

prevent

Enforces boundary protection to restrict network access to the vulnerable /api/plugins endpoint, aligning with the recommended external firewall mitigation for management networks.

prevent

Limits the scope and impact of root-privileged RCE by enforcing least privilege on the cbis_manager containerized web service processes.

References