Authentication Bypass in CBIS/NCS Manager API by Nokia
CVE-2023-49564

8.8HIGH

Key Information:

Vendor: Nokia
Status: Cbis,ncs
Vendor: CVE Published:; 18 September 2025

What is CVE-2023-49564?

The CBIS/NCS Manager API by Nokia contains a vulnerability that allows an unauthenticated user to exploit an authentication bypass. This is achieved by sending a specially crafted HTTP header, enabling access to sensitive API functions without valid credentials. The flaw stems from a weak verification mechanism in the authentication implementation located in the Nginx Podman container on the CBIS/NCS Manager host machine. To reduce the risk associated with this vulnerability, it is advisable to restrict access to the management network through external firewall configurations.

Affected Version(s)

CBIS,NCS CBIS 22, NCS 22.12

References

https://www.nokia.com/about-us/security-and-privacy/produ...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 18, 2025
Vulnerability Reserved
Nov 27, 2023

JSON