A critical authentication bypass vulnerability has emerged in Nokia’s CloudBand Infrastructure Software (CBIS) and Nokia Container Service (NCS) Manager API, designated as CVE-2023-49564.
This high-severity flaw, scoring 9.6 on the CVSS v3.1 scale, enables unauthorized attackers to circumvent authentication mechanisms through specially crafted HTTP headers, potentially granting complete access to restricted API endpoints without valid credentials.
The vulnerability affects CBIS 22 and NCS 22.12 versions, impacting enterprises, service providers, and public sector organizations utilizing Nokia’s cloud and network infrastructure solutions.
The flaw was publicly disclosed on September 18, 2025, following discovery by Orange Cert researchers who identified the security gap during routine security assessments.
Nokia security researchers identified the root cause as a weak verification mechanism embedded within the authentication implementation of the Nginx Podman container running on the CBIS/NCS Manager host machine.
This architectural weakness allows threat actors to manipulate HTTP header fields to trick the authentication system into believing a request is legitimate.
The exploitation vector requires adjacent network access (CVSS AV:A), making it particularly concerning for enterprise environments where attackers might already have gained initial network foothold.
Once exploited, the vulnerability provides complete compromise capabilities with high confidentiality, integrity, and availability impact, allowing attackers to access sensitive configuration data, modify system settings, and potentially disrupt network operations.
Technical Attack Mechanism
The authentication bypass operates through header manipulation targeting the Nginx container’s verification logic.
When processing API requests, the system fails to properly validate authentication tokens embedded in HTTP headers, creating an opportunity for crafted requests to bypass security controls.
The vulnerability allows unauthenticated users to reach sensitive endpoints that should require administrative privileges.
| Vulnerability Details | Information |
|---|---|
| CVE ID | CVE-2023-49564 |
| CVSS Score | 9.6 (Critical) |
| Attack Vector | Adjacent Network |
| Affected Products | CBIS 22, NCS 22.12 |
| Fix Versions | CBIS 22 FP1 MP1.2, NCS 22.12 MP3 |
Organizations can partially mitigate risks by implementing external firewall restrictions on management network access while applying the patches provided in CBIS 22 FP1 MP1.2 and NCS 22.12 MP3 versions.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
