CVE-2021-35485 Overview
CVE-2021-35485 is an arbitrary file upload vulnerability affecting the Applications component of Nokia IMPACT IoT platform. The vulnerability allows an authenticated user to upload server-side executable files via the /ui/rest-proxy/application fileupload parameter. This security flaw can be exploited during the process of adding a new application or when editing an existing one, potentially leading to remote code execution on the affected server.
Critical Impact
Authenticated attackers with adjacent network access can upload malicious executable files to the Nokia IMPACT server, potentially achieving remote code execution and full system compromise of IoT infrastructure.
Affected Products
- Nokia IMPACT IoT Platform versions through 19.11.2.10-20210118042150283
Discovery Timeline
- 2026-03-03 - CVE-2021-35485 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2021-35485
Vulnerability Analysis
This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The Nokia IMPACT platform's Applications component fails to properly validate or restrict file types during the upload process. An authenticated user with access to the application management functionality can exploit the /ui/rest-proxy/application endpoint's fileupload parameter to upload arbitrary server-side executable files.
The attack requires authentication and adjacent network access, meaning the attacker must be on the same network segment as the Nokia IMPACT server. Once exploited, the vulnerability can lead to complete compromise of confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause of CVE-2021-35485 lies in insufficient file type validation within the Nokia IMPACT Applications component. The /ui/rest-proxy/application endpoint accepts file uploads without properly restricting the types of files that can be uploaded. This allows authenticated users to bypass intended security controls and upload potentially malicious server-side executable files such as web shells, scripts, or compiled binaries.
The vulnerability exists in both the application creation workflow and the application editing workflow, indicating that the file upload validation logic is fundamentally flawed rather than being a specific edge case.
Attack Vector
The attack vector for this vulnerability requires an authenticated user with adjacent network access to the Nokia IMPACT platform. The attacker must:
- Authenticate to the Nokia IMPACT web interface with valid credentials
- Navigate to the application management functionality
- Exploit the fileupload parameter in the /ui/rest-proxy/application endpoint
- Upload a malicious server-side executable file (e.g., web shell, reverse shell script)
- Execute the uploaded file to gain unauthorized access or control
The adjacent network requirement means the attacker must be positioned on the same local network segment as the target Nokia IMPACT server, which may include internal corporate networks or IoT management networks.
Detection Methods for CVE-2021-35485
Indicators of Compromise
- Unusual file uploads to the Nokia IMPACT application directories, particularly executable files with extensions like .jsp, .php, .sh, or .exe
- Suspicious HTTP POST requests to the /ui/rest-proxy/application endpoint with file upload payloads
- Unexpected server-side script executions or process spawning from Nokia IMPACT application directories
- Anomalous authentication patterns followed by file upload activity
Detection Strategies
- Monitor HTTP traffic to the /ui/rest-proxy/application endpoint for file upload requests containing executable file types
- Implement file integrity monitoring on Nokia IMPACT application directories to detect unauthorized file additions
- Review application logs for file upload events, particularly those involving non-standard file types
- Deploy web application firewalls (WAF) configured to inspect multipart form data for malicious payloads
Monitoring Recommendations
- Enable detailed logging for the Nokia IMPACT Applications component to capture all file upload activity
- Configure alerts for file creation events in web-accessible directories on the Nokia IMPACT server
- Implement network segmentation monitoring to detect lateral movement from compromised IoT management infrastructure
- Regularly audit user accounts and access permissions to the application management functionality
How to Mitigate CVE-2021-35485
Immediate Actions Required
- Restrict network access to the Nokia IMPACT platform to only authorized administrative networks
- Review and remove any suspicious files from Nokia IMPACT application directories
- Audit user accounts with access to application management functionality and revoke unnecessary permissions
- Implement additional network segmentation to isolate the Nokia IMPACT server from general network access
Patch Information
Organizations should contact Nokia directly for patching guidance and security updates for the IMPACT IoT platform. Review the Gruppo TIM Analysis for additional technical details. Nokia's Responsible Disclosure Policy provides contact information for security-related inquiries.
Workarounds
- Implement strict file type whitelisting at the web application firewall level to block executable file uploads
- Deploy application-layer controls to restrict the file types accepted by the upload functionality
- Enable additional authentication requirements (MFA) for users with application management privileges
- Consider disabling or restricting access to the application management feature until a patch is available
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
