Arc
CVE-2025-40896
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The server certificate was not verified when an Arc agent connected to a Guardian or CMC.
A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Arc agent and the Guardian or CMC. This could result in theft of the client token and sensitive information (such as assets and alerts), impersonation of the server, or injection of spoofed data (such as false asset information or vulnerabilities) into the Guardian or CMC.
AnalysisAI
The server certificate was not verified when an Arc agent connected to a Guardian or CMC. A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Arc agent and the Guardian or CMC. [CVSS 6.5 MEDIUM]
Technical ContextAI
Classified as CWE-295 (Improper Certificate Validation). Affects Arc. The server certificate was not verified when an Arc agent connected to a Guardian or CMC.
A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Arc agent and the Guardian or CMC. This could result in theft of the client token and sensitive information (such as assets and alerts), impersonation of the server, or injection of spoofed data (such as false asset information or vulnerabilities) into the Guardian or CMC.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
CData RSB Connect v22.0.8336 was discovered to contain a Server-Side Request Forgery (SSRF). Rated high severity (CVSS 7
Arc before 1.26.1 on Windows has a bypass issue in the site settings that allows websites (with previously granted permi
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today