{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T19:44:50.333","vulnerabilities":[{"cve":{"id":"CVE-2025-48219","sourceIdentifier":"cve@mitre.org","published":"2025-05-18T15:15:17.340","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[{"sourceIdentifier":"cve@mitre.org","tags":["exclusively-hosted-service"]}],"descriptions":[{"lang":"en","value":"O2 UK before 2025-05-19 allows subscribers to determine the Cell ID of other subscribers by initiating an IMS (IP Multimedia Subsystem) call and then reading the utran-cell-id-3gpp field of a Cellular-Network-Info SIP header, aka an ECI (E-UTRAN Cell Identity) leak. The Cell ID might be usable to identify a cell location via crowdsourced data, and might correspond to a small physical area (e.g., if the called party is in a city centre). Removal of the Cellular-Network-Info header is mentioned in section 4.4.19 of ETSI TS 124 229."},{"lang":"es","value":"O2 UK, hasta el 17/05/2025, permite a los suscriptores determinar el ID de celda de otros suscriptores iniciando una llamada IMS (Subsistema Multimedia IP) y leyendo el campo utran-cell-id-3gpp de una cabecera SIP Cellular-Network-Info, también conocida como fuga de ECI (Identidad de Celda E-UTRAN). El ID de celda podría utilizarse para identificar la ubicación de una celda mediante datos de colaboración abierta y podría corresponder a un área física pequeña (por ejemplo, si el receptor de la llamada se encuentra en el centro de una ciudad). La eliminación de la cabecera Cellular-Network-Info se menciona en la sección 4.4.19 de ETSI TS 124 229."}],"metrics":{"cvssMetricV31":[{"source":"cve@mitre.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N","baseScore":3.5,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":1.4}]},"weaknesses":[{"source":"cve@mitre.org","type":"Secondary","description":[{"lang":"en","value":"CWE-201"}]}],"references":[{"url":"https://mastdatabase.co.uk/blog/2025/05/o2-expose-customer-location-call-4g/","source":"cve@mitre.org"},{"url":"https://news.ycombinator.com/item?id=44014046","source":"cve@mitre.org"},{"url":"https://www.etsi.org/deliver/etsi_ts/124200_124299/124229/15.10.00_60/ts_124229v151000p.pdf","source":"cve@mitre.org"},{"url":"https://www.ispreview.co.uk/index.php/2025/05/o2-uk-fixes-volte-flaw-that-exposed-user-mobile-location-data.html","source":"cve@mitre.org"}]}}]}