Skip to main content

Cmc CVE-2025-40898

HIGH
Path Traversal (CWE-22)
2025-12-18 prodsec@nozominetworks.com
7.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 14, 2026 - 10:27 vuln.today

DescriptionCVE.org

A path traversal vulnerability was discovered in the Import Arc data archive functionality due to insufficient validation of the input file. An authenticated user with limited privileges, by uploading a specifically-crafted Arc data archive, can potentially write arbitrary files in arbitrary paths, altering the device configuration and/or affecting its availability.

AnalysisAI

Path traversal in Nozomi Networks CMC and Guardian allows authenticated users with limited privileges to write arbitrary files to any system location by uploading a malicious Arc data archive. This enables device configuration tampering and denial-of-service attacks. Attack requires low-privilege authentication but has high integrity and availability impact (CVSS 7.2). No public exploit identified at time of analysis, though the attack vector is straightforward for authenticated insiders or compromised accounts.

Technical ContextAI

This vulnerability affects the Arc data archive import functionality in Nozomi Networks CMC (Central Management Console) and Guardian industrial network monitoring platforms, identified via CPE strings cpe:2.3:a:nozominetworks:cmc and cpe:2.3:a:nozominetworks:guardian. The root cause is CWE-22 (Path Traversal), also known as directory traversal or dot-dot-slash attack. The import mechanism fails to properly sanitize or validate file paths within uploaded Arc archives, allowing directory traversal sequences like '../' to escape intended directories. Arc files are likely compressed archives used for configuration import/export or data migration. Without proper canonicalization and validation of extracted file paths against a safe directory boundary, attackers can specify absolute paths or use traversal sequences to write to sensitive system locations such as configuration directories, startup scripts, or application binaries. The CVSS 4.0 vector indicates network-accessible attack surface (AV:N) with low complexity (AC:L) requiring only low-privilege authentication (PR:L), resulting in high integrity and availability impact (VI:H, VA:H) with no confidentiality impact (VC:N).

RemediationAI

Apply vendor-released security updates as detailed in Nozomi Networks security advisory NN-2025:15-01 available at https://security.nozominetworks.com/NN-2025:15-01. Exact patched versions should be confirmed from the vendor advisory. Organizations should also review Siemens advisory SSA-827968 at https://cert-portal.siemens.com/productcert/html/ssa-827968.html if using Siemens-branded or integrated versions of these products. As an interim mitigation until patching is complete, restrict Arc data archive import functionality to only highly trusted administrators through role-based access controls, implement strict approval workflows for archive imports, and monitor system logs for unexpected file creation or modification events outside normal operational patterns. Network segmentation should ensure management interfaces for CMC and Guardian are accessible only from trusted administrative networks, not directly from monitored OT segments or untrusted networks.

More in Cmc

View all
CVE-2023-29245 CRITICAL
9.2 Sep 19

A SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain fields us

CVE-2026-31984 HIGH
8.7 Jul 09

Disk-exhaustion denial of service in Nozomi Networks Guardian and Central Management Console (CMC) lets a remote, unauth

CVE-2023-2567 HIGH
8.7 Sep 19

A SQL Injection vulnerability has been found in Nozomi Networks Guardian and CMC, due to improper input validation in ce

CVE-2023-23574 HIGH
8.7 Aug 09

A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the alerts_

CVE-2023-22378 HIGH
8.7 Aug 09

A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the sorting

CVE-2022-0551 HIGH
8.6 Mar 24

Improper Input Validation vulnerability in project file upload in Nozomi Networks Guardian and CMC allows an authenticat

CVE-2022-0550 HIGH
8.6 Mar 24

Improper Input Validation vulnerability in custom report logo upload in Nozomi Networks Guardian, and CMC allows an auth

CVE-2023-32649 HIGH
8.2 Sep 19

A Denial of Service (Dos) vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain

CVE-2023-22843 HIGH
7.3 Aug 09

An authenticated attacker with administrative access to the web management interface can inject malicious JavaScript cod

CVE-2026-33390 HIGH
7.2 Jul 09

Privilege escalation via configuration synchronization in Nozomi Networks Guardian and Central Management Console (CMC)

CVE-2025-40897 HIGH
7.2 Apr 15

Privilege escalation in Nozomi Networks Guardian and CMC Threat Intelligence module allows authenticated view-only users

CVE-2025-40899 HIGH
7.1 Apr 15

Stored Cross-Site Scripting (XSS) in Nozomi Networks Guardian and CMC allows authenticated attackers with custom field p

Share

CVE-2025-40898 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy