Security Bulletin – Ericsson Catalog Manager (ECM) and Ericsson Order Care (EOC), September 2025

Summary:

Ericsson has released an update for Ericsson Catalog Manager and Ericsson Order Care to address a security issue that if exploited may lead to information disclosure.

Vulnerability description:

This section summarizes the vulnerability issue and potential impact that this security update addresses.

CVE-2024-25011 – Ericsson Catalog Manager and Ericsson Order Care APIs do not have authentication enabled by default. Authentication checks can be configured to remediate the information disclosure issue.

CVSS Base Score: 5.3
Severity: Medium
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Type: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Security update:

The following table lists the Ericsson products affected, versions affected, and the updated version that includes this security update.

To protect your system, download and install the updated version.

CVE Addressed	Product Name	Affected Released Versions	Updated Release Version
CVE-2024-25011	Ericsson Order Care (EOC) Ericsson Catalog Manager (ECM)	All versions prior to and including 22.6	22.7

CVE Addressed

Product Name

Affected Released Versions

Updated Release Version

CVE-2024-25011

Ericsson Order Care (EOC)

Ericsson Catalog Manager (ECM)

All versions prior to and including 22.6

22.7

Workaround for affected versions:

If you are unable to upgrade to the fixed versions where the required flag will be enabled by default, authentication checks can be configured under System Configuration to remediate the issue.

Additional information:

Ericsson severity assessment of a vulnerability is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your organization. We recommend evaluating the risk to your specific configuration.
If you have any questions regarding this bulletin, please reach out to your local Ericsson support representative, for more information see our Customer Support page.
Learn more about the vulnerability management process followed by the Ericsson Product Security Incident Response Team (PSIRT), see Ericsson PSIRT page.

Revision history:

Revision	Date	Description
1.0	September 18, 2025	Initial Release

© Ericsson AB 2025. All rights reserved. No part of this message may be reproduced in any form without the written permission of the copyright owner. The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this message. For questions, please contact Ericsson Local Support or connect with us on the Omni Network Channel section of My Ericsson. Visit us at Support User Preferences to unsubscribe.