CVE-2025-40893
MEDIUMCVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1Description
A Stored HTML Injection vulnerability was discovered in the Asset List functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets to inject HTML tags into asset attributes. When a victim views the affected assets in the Asset List (and similar functions), the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Analysis
Stored HTML injection in Nozomi Networks CMC and Guardian Asset List functionality allows unauthenticated remote attackers to inject malicious HTML tags into asset attributes via crafted network packets, enabling phishing and open redirect attacks when victims view affected assets. CVSS 5.3 (medium severity) with user interaction required; exploitation is bounded by existing Content Security Policy and input validation that prevent full XSS and direct information disclosure.
Technical Context
The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in the Asset List feature of Nozomi Networks CMC and Guardian products. These network management and cybersecurity platforms ingest and display network traffic metadata; the vulnerability arises from inadequate sanitization of network packet data before it is stored and rendered in asset attribute fields within the web interface. Because the injected HTML is stored in the application state (Stored/Persistent injection rather than Reflected), any user viewing the affected asset triggers the payload. The CVSS 4.0 vector confirms network-accessible attack surface (AV:N), low complexity (AC:L), no authentication required (PR:N), and importantly, user interaction required (UI:P), meaning a victim must actively view the compromised asset. Mitigating controls-CSP policy and existing input validation-limit scope to confidentiality impact (VI:L) and low scope impact (SC:L), preventing full XSS code execution and direct data exfiltration.
Affected Products
Nozomi Networks CMC (all versions affected per CPE cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:*) and Nozomi Networks Guardian (all versions affected per CPE cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*). Specific version ranges with remediation status are not detailed in the provided references. The Nozomi Networks security advisory at https://security.nozominetworks.com/NN-2025:14-01 and the related Siemens Product Certification advisory at https://cert-portal.siemens.com/productcert/html/ssa-827968.html should be consulted for version-specific patch details.
Remediation
Consult the Nozomi Networks security advisory at https://security.nozominetworks.com/NN-2025:14-01 and the Siemens Product Certification portal at https://cert-portal.siemens.com/productcert/html/ssa-827968.html for vendor-released patches and exact fixed versions. Apply the recommended patch to all CMC and Guardian instances, particularly those exposed to untrusted network segments. As an interim mitigation, restrict access to the Asset List functionality to trusted users only, implement network segmentation to limit attacker ability to inject crafted packets destined for the affected products, and ensure Content Security Policy headers are fully enabled and correctly configured to prevent HTML payload rendering.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today