The vulnerability originates from the Software Manager application’s failure to properly validate input parameters that reference file system paths. An attacker who can influence these inputs may construct a request containing relative path components such as "..\" or "../../" to read files outside the intended directory. This enables the disclosure of sensitive files, potentially exposing configuration data, logs, or other confidential information. The weakness does not grant arbitrary code execution or privilege escalation, but it can compromise confidentiality within the affected device. The weakness corresponds to the CWE-23 classification of relative path traversal.

All builds of Nokia MantaRay NM are vulnerable as the defect resides in the core Software Manager component. Without an applied vendor patch, any instance of the device that exposes the Software Manager interface to users or remote agents remains at risk. Specific version identifiers are not supplied, so all deployed firmware versions should be considered affected until a vendor update is released.

The CVSS base score of 5.7 indicates moderate impact, reflecting the limited nature of the disclosure. Because EPSS data is unavailable, the assessed likelihood of exploitation remains uncertain, but path traversal flaws are frequently targeted in practice. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widely known, actively exploited examples at the time of reporting. The probable attack vector is remote, through interactions with the Software Manager interface, which may be accessed over local or network connections depending on configuration. An attacker would need the ability to send crafted input to the application; no additional privileges or user interaction are required beyond that.