Skip navigation

Security Bulletin – Ericsson High Severity Vulnerability in EMCLI included in Ericsson RAN Compute and Site Controller, October 2025

Summary:

Ericsson has released an update for EMCLI to address a high severity vulnerability. Ericsson PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this bulletin.

Vulnerability description:

This section summarizes the vulnerability issue and potential impact that this security update addresses. 

CVE-2025-0636 – EMCLI contains a high severity vulnerability where improper neutralization of special elements used in an OS command could be exploited leading to Arbitrary Code Execution.   

CVSS Base Score: 8.4  
Severity: High
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Weakness Type: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 

Security update:

The following table lists the Ericsson products affected, versions affected, and the updated version that includes this security update.

To protect your system, download and install the updated version.

CVE Addressed 

Product Name 

Affected Versions 

Updated Versions 

CVE-2025-0636

RAN Compute (all BB versions) 

All versions prior to 24.Q1.C5 

24.Q1.C5
24.Q2
24.Q3
24.Q4
25.Q1
RCG123.1
RCG123.2
RCG123.3

CVE-2025-0636

Site Controller 6610 

All versions prior to S24.Q2 

S24.Q2
S24.Q3.1
S24.Q4
S25.Q1

Mitigations:

See the solutions above for the versions to install.

Additional information:

  • Ericsson severity assessment of a vulnerability is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your organization. We recommend evaluating the risk to your specific configuration.
  • If you have any questions regarding this bulletin, please reach out to your local Ericsson support representative, for more information see our Customer Support page.
  • Learn more about the vulnerability management process followed by the Ericsson Product Security Incident Response Team (PSIRT), see Ericsson PSIRT page.

Revision history:

Revision Date Description
1.0 October 9, 2025   Initial Release

© Ericsson AB 2025. All rights reserved. No part of this message may be reproduced in any form without the written permission of the copyright owner. The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this message. For questions, please contact Ericsson Local Support or connect with us on the Omni Network Channel section of My Ericsson. Visit us at Support User Preferences to unsubscribe.