CVE-2025-9974
Published: 02 February 2026
Summary
CVE-2025-9974 is a high-severity OS Command Injection (CWE-78) vulnerability in Nokia (inferred from references). Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-9974 affects the unified WEBUI application in ONT/Beacon devices, where an input handling flaw (CWE-78) allows authenticated users to trigger unintended system-level command execution. The issue stems from insufficient validation of user-supplied data, enabling arbitrary command injection on the underlying ONT/Beacon operating system. Published on 2026-02-02, it carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A low-privileged authenticated attacker with adjacent network access (AV:A) can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows execution of arbitrary commands on the device OS, potentially leading to high impacts on confidentiality, integrity, and availability.
Mitigation details are available in the Nokia product security advisory at https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-9974/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206613
Vulnerability details
The unified WEBUI application of the ONT/Beacon device contains an input handling flaw that allows authenticated users to trigger unintended system-level command execution. Due to insufficient validation of user-supplied data, a low-privileged authenticated attacker may be able to execute arbitrary…
more
commands on the underlying ONT/Beacon operating system, potentially impacting the confidentiality, integrity, and availability of the device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CWE-78 command injection in web UI directly enables remote OS command execution (T1059.004 Unix Shell) via authenticated access to a network-exposed application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation of user-supplied inputs in the WEBUI to prevent command injection from insufficient data validation.
Requires identification, reporting, and correction of the specific input handling flaw enabling arbitrary OS command execution on the ONT/Beacon device.
Enforces least privilege to restrict the impact of arbitrary command execution by low-privileged authenticated users on the underlying operating system.