CVE-2025-0980 Overview
CVE-2025-0980 affects Nokia SR Linux, the network operating system used on Nokia data center and service provider switching platforms. The vulnerability stems from improper validation in the JSON-RPC service authentication path. An attacker can access the JSON-RPC interface without supplying valid authentication credentials. The flaw is categorized under [CWE-284] Improper Access Control.
Successful exploitation grants unauthorized access to network management functions exposed through JSON-RPC. This can lead to disclosure of configuration data, modification of device state, or disruption of routing services on affected systems.
Critical Impact
Invalid authentication validation in the JSON-RPC service allows unauthorized access to management functions on Nokia SR Linux devices, with confidentiality, integrity, and availability all rated High.
Affected Products
- Nokia SR Linux network operating system
- Nokia data center switching platforms running SR Linux with JSON-RPC enabled
- Refer to the Nokia Security Advisory CVE-2025-0980 for the complete list of affected releases
Discovery Timeline
- 2026-01-07 - CVE-2025-0980 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-0980
Vulnerability Analysis
Nokia SR Linux exposes a JSON-RPC (JavaScript Object Notation Remote Procedure Call) service for programmatic device management. Operators use this interface to retrieve state, modify configuration, and automate network operations. The service is intended to enforce authentication before permitting any RPC method invocation.
The vulnerability resides in the credential validation logic of the JSON-RPC service. An invalid validation check allows the request handler to process RPC calls without confirming valid credentials. The flaw maps to [CWE-284] Improper Access Control, reflecting a broken authentication enforcement boundary rather than a credential disclosure issue.
The CVSS vector indicates a local attack vector with high attack complexity and high privileges required. Exploitation requires conditions consistent with access to a management interface or adjacent network position rather than direct internet exposure. Successful exploitation yields high impact on confidentiality, integrity, and availability because JSON-RPC can read and modify device configuration.
Root Cause
The authentication routine for the JSON-RPC endpoint accepts requests that should be rejected. According to Nokia, an invalid validation step in the authentication path fails to enforce the requirement for valid credentials. Requests that meet the flawed validation condition are passed to the RPC dispatcher as if authenticated.
Attack Vector
An attacker with access to the management plane of an SR Linux device sends crafted JSON-RPC requests to the service. Because the validation check is invalid, the request proceeds without legitimate authentication. The attacker can then invoke supported RPC methods to read configuration, push changes, or interact with device subsystems exposed through the API.
No public proof-of-concept exploit, exploit database entry, or CISA KEV listing exists for CVE-2025-0980 at the time of publication. The EPSS data reflects a low probability of exploitation in the wild.
Detection Methods for CVE-2025-0980
Indicators of Compromise
- JSON-RPC requests to SR Linux devices from sources outside approved management workstations or automation systems
- Successful JSON-RPC method invocations recorded without a corresponding authenticated user session in device logs
- Unexpected configuration commits, interface state changes, or routing modifications applied via the JSON-RPC interface
- Repeated JSON-RPC connections from a single source enumerating supported methods
Detection Strategies
- Review SR Linux audit and authentication logs for JSON-RPC sessions that lack a valid user binding
- Compare configuration commit history against approved change records and automation pipelines
- Inspect TCP sessions to the JSON-RPC listener port for traffic from unexpected client addresses
- Correlate device management plane telemetry with NetFlow or sFlow records to identify anomalous management traffic
Monitoring Recommendations
- Forward SR Linux system, audit, and JSON-RPC logs to a central log platform for retention and correlation
- Alert on configuration changes that occur outside scheduled maintenance windows or approved automation jobs
- Monitor management VRF traffic for new source addresses contacting the JSON-RPC service
- Track failed and successful authentication events on the management interface for baseline deviation
How to Mitigate CVE-2025-0980
Immediate Actions Required
- Apply the fixed SR Linux release identified in the Nokia Security Advisory CVE-2025-0980
- Restrict reachability of the JSON-RPC service to a dedicated management VRF and a small allowlist of management hosts
- Audit existing JSON-RPC users, tokens, and roles, and remove unused accounts
- Review recent configuration commits and authentication logs for evidence of unauthorized access
Patch Information
Nokia has published remediation guidance and fixed release information in the Nokia Security Advisory CVE-2025-0980. Operators should consult the advisory to identify the fixed SR Linux version for their deployed release train and schedule an upgrade.
Workarounds
- Disable the JSON-RPC service on devices where it is not required for operations or automation
- Enforce access control lists on the management interface to permit JSON-RPC only from authorized automation hosts
- Place the JSON-RPC listener behind a management jump host that performs additional authentication
- Rotate credentials and API tokens used with the JSON-RPC service after applying the fix
# Example: restrict JSON-RPC exposure on SR Linux
# Consult Nokia documentation for syntax matching your release
# 1. Confirm whether JSON-RPC is required
# 2. If not required, disable the service
# 3. If required, bind it to the management network-instance and apply ACLs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

