What is the Nokia CVE-2023-49564 vulnerability?

CVE-2023-49564 is a critical authentication bypass vulnerability with a CVSS score of 9.6 affecting Nokia CloudBand Infrastructure Software (CBIS) and Nokia Container Service (NCS) Manager API. The vulnerability is caused by a weak verification mechanism within the authentication implementation that could allow attackers to gain complete unauthorized access to sensitive infrastructure management functions.

Which Nokia products are affected by CVE-2023-49564?

The vulnerability affects Nokia CBIS (CloudBand Infrastructure Software) version 22 and Nokia Container Service (NCS) version 22.12. Nokia confirmed that the vulnerability affects installations running the default Manager API configurations.

Who discovered the Nokia CVE-2023-49564 vulnerability?

Orange Cert discovered the vulnerability during routine security assessments and publicly disclosed it on September 18, 2025.

What can attackers do with the Nokia authentication bypass vulnerability?

Attackers can gain complete unauthorized access to sensitive infrastructure management functions by bypassing authentication mechanisms. This could allow them to access unrestricted API endpoints and potentially compromise critical network infrastructure managed by Nokia CBIS and NCS systems.

Which Nokia versions fix the CVE-2023-49564 vulnerability?

Nokia has released patched versions that fix the vulnerability: CBIS 22 FP1 MP1.2 for CloudBand Infrastructure Software and NCS 22.12 MP3 for Nokia Container Service. These updates restore proper header validation and authentication enforcement.

What should organizations do about the Nokia vulnerability?

Organizations should immediately verify their current Nokia CBIS and NCS versions and upgrade to the patched releases (CBIS 22 FP1 MP1.2 or NCS 22.12 MP3). Additionally, administrators should restrict network access to management interfaces using microsegmentation and firewall rules, allowing connections only from authorized administrative hosts.

How serious is the Nokia CVE-2023-49564 vulnerability?

This is a critical vulnerability with a CVSS score of 9.6, indicating very high severity. The authentication bypass nature of the flaw means attackers can gain unauthorized access to sensitive infrastructure management functions without any valid credentials, making immediate patching essential.

Advisory

Critical authentication bypass flaw reported in Nokia's CBIS and NCS Management Platforms

Q: How does the Nokia authentication bypass vulnerability work?

The vulnerability is present in the Nginx Podman container running on CBIS and NCS Manager host machines. The authentication layer fails to properly validate custom HTTP headers, enabling adversaries to reach unrestricted API endpoints without providing any valid credentials by injecting specially formatted HTTP headers in their requests.

Q: What additional security measures should be implemented for Nokia systems?

Beyond applying the patches, administrators are urged to implement network access restrictions to management interfaces using microsegmentation and firewall rules. Access should be limited to connections only from authorized administrative hosts to reduce the attack surface.

published: Sept. 19, 2025

Take action: If you're using Nokia CBIS version 22 or NCS version 22.12, make sure it's isolated and accessible only from trusted networks. Then plan a quick upgrade to CBIS 22 FP1 MP1.2 or NCS 22.12 MP3.

Learn More

Nokia has patched a critical authentication bypass vulnerability in its CloudBand Infrastructure Software (CBIS) and Nokia Container Service (NCS) Manager API that could allow attackers to gain complete unauthorized access to sensitive infrastructure management functions.

Orange Cert publicly disclosed the vulnerability on September 18, 2025, following their discovery during routine security assessments.

The vulnerability is tracked as CVE-2023-49564 (CVSS score 9.6), and is caused by a weak verification mechanism within the authentication implementation present in the Nginx Podman container running on CBIS and NCS Manager host machines. The authentication layer fails to properly validate custom HTTP headers, enabling adversaries to reach unrestricted API endpoints without providing any valid credential by injecting specially formatted HTTP headers in their requests.

Affected versions:

Nokia CBIS (CloudBand Infrastructure Software) version 22
Nokia Container Service (NCS) version 22.12

Patched versions:

CBIS 22 FP1 MP1.2
NCS 22.12 MP3

Nokia confirmed that the vulnerability affects installations running the default Manager API configurations. Organizations should immediately verify their current versions and upgrade to the patched releases to restore proper header validation and authentication enforcement.

Administrators are urged to apply these updates and to restrict network access to management interfaces using microsegmentation and firewall rules, allowing connections only from authorized administrative hosts.

Critical authentication bypass flaw reported in Nokia's CBIS and NCS Management Platforms

Read More
Perforce Helix Core Server fixes critical remote code …
Apache ActiveMQ Vulnerability actively exploited, HelloKitty Ransomware gang …
Emergency patch released for SSRF flaw in Zimbra …
Critical Fortinet vulnerability actively exploited
Malware Actively Planted on Vulnerable Barracuda email gateways