CVE-2025-9912 Overview
CVE-2025-9912 is a local privilege escalation vulnerability in Nokia SR Linux, the network operating system used on Nokia service router platforms. An authenticated user can exploit the flaw to execute arbitrary commands with superuser privilege. The weakness is categorized under [CWE-269] Improper Privilege Management.
The vulnerability requires local access and high privileges, but it grants full administrative control over the routing platform on success. Compromise of SR Linux can disrupt traffic forwarding, expose configuration data, and provide persistence on core network infrastructure.
Critical Impact
Authenticated local users can escalate to superuser on Nokia SR Linux, gaining full control of the network operating system and the underlying router platform.
Affected Products
- Nokia SR Linux (see vendor advisory for affected releases)
- Nokia service router platforms running SR Linux
- Refer to the Nokia Security Advisory CVE-2025-9912 for the version matrix
Discovery Timeline
- 2026-06-16 - CVE-2025-9912 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9912
Vulnerability Analysis
The flaw lets an authenticated SR Linux user run arbitrary commands as the superuser account. Once escalated, the attacker controls the routing daemon, the management plane, and any process running on the network operating system.
Impact on confidentiality is rated low because the attacker already holds an account on the device, but impact on integrity and availability is high. An attacker can modify configuration, alter routing state, install backdoors, or take the device offline. Because SR Linux runs on production routers, compromise affects the data plane as well as the management plane.
The attack vector is local and requires no user interaction. Attack complexity is low, meaning a working technique is repeatable once known. The EPSS probability is 0.11%, reflecting the local privilege requirement rather than the technical severity of a successful exploit.
Root Cause
The root cause is improper privilege management within SR Linux ([CWE-269]). A function, command path, or service available to lower-privileged authenticated users performs an action that should be restricted to the superuser context. Nokia has not published low-level exploitation details. See the Nokia Security Advisory CVE-2025-9912 for vendor-provided technical context.
Attack Vector
Exploitation requires the attacker to first authenticate to SR Linux with valid credentials. The attacker then invokes the vulnerable code path from the local CLI or management interface to obtain superuser command execution. No remote, unauthenticated path is described in the advisory.
No public proof-of-concept code is available for CVE-2025-9912. The vulnerability mechanism is described in prose only; refer to the vendor advisory for affected versions and exploitation prerequisites.
Detection Methods for CVE-2025-9912
Indicators of Compromise
- Unexpected command execution under the superuser account from sessions that originated as non-privileged users
- Configuration changes on SR Linux that do not correspond to authorized change tickets
- New local accounts, SSH keys, or service bindings added to the SR Linux management plane
- Audit log gaps or log tampering around the time of suspicious privilege transitions
Detection Strategies
- Forward SR Linux audit and authentication logs to a central SIEM and alert on privilege transitions from non-admin to superuser
- Baseline expected administrative commands per account and flag deviations
- Correlate CLI command history with change management records to surface unauthorized activity
Monitoring Recommendations
- Monitor aaa accounting logs and syslog output for sudo-equivalent escalations on SR Linux
- Track logins from service accounts that normally do not execute interactive commands
- Alert on modifications to user role assignments and role-based access control policies
How to Mitigate CVE-2025-9912
Immediate Actions Required
- Apply the fixed SR Linux release listed in the Nokia Security Advisory CVE-2025-9912 as soon as a maintenance window allows
- Audit all local SR Linux accounts and remove unused or shared credentials
- Rotate passwords and SSH keys for any account that may have been exposed
- Restrict management plane access to a dedicated out-of-band network and trusted jump hosts
Patch Information
Nokia has published a security advisory for CVE-2025-9912. Affected versions and fixed releases are documented in the Nokia Security Advisory CVE-2025-9912. Upgrade to a fixed SR Linux build per vendor guidance.
Workarounds
- Limit SR Linux login access to a small, audited group of network operators until patched
- Enforce strong authentication, including multi-factor authentication, on jump hosts that reach the management plane
- Disable or restrict any optional SR Linux features identified by Nokia as part of the vulnerable code path
- Increase audit logging verbosity and ship logs off-device to detect exploitation attempts
# Example: restrict SR Linux management access to a trusted subnet
# Apply via configuration mode on the device
set / system management-interface ssh-server admin-state enable
set / acl ipv4-filter mgmt-acl entry 10 match source-ip prefix 10.0.0.0/24
set / acl ipv4-filter mgmt-acl entry 10 action accept
set / acl ipv4-filter mgmt-acl entry 100 action drop
commit stay
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

