Skip to main content

Nozomi Networks Guardian CVE-2025-40901

| EUVDEUVD-2025-209894 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-19 Nozomi GHSA-m7v5-79cg-6pqf
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 19, 2026 - 14:34 vuln.today
CVSS changed
May 19, 2026 - 14:22 NVD
5.9 (MEDIUM) 4.8 (MEDIUM)
Patch available
May 19, 2026 - 14:02 EUVD

DescriptionCVE.org

A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious identity containing HTML tags. When a victim attempts to delete the affected identity, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

AnalysisAI

Stored HTML injection in Nozomi Networks Guardian and CMC (Central Management Console) Credentials Manager allows authenticated administrators to plant malicious HTML inside identity definitions. When a separate user attempts to delete the poisoned identity, the injected HTML renders in their browser, enabling phishing lures and open redirect attacks against that user. Full script execution (XSS) and direct information disclosure are constrained by existing input validation and Content Security Policy headers, limiting the achievable impact to social engineering vectors. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.

Technical ContextAI

Nozomi Networks Guardian and its Central Management Console (CMC) are OT/ICS network visibility and security platforms, identified by CPE strings cpe:2.3:a:nozomi_networks:guardian:*:*:*:*:*:*:*:* and cpe:2.3:a:nozomi_networks:cmc:*:*:*:*:*:*:*:*. The vulnerability resides in the Credentials Manager feature, which allows administrators to define named identities used for device credential management. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controlled input - specifically an identity name - is not fully sanitized before being persisted and later reflected into a rendered HTML context. The injection is 'stored' (persistent) rather than reflected, so it survives server restarts and triggers on a delayed action (deletion attempt) rather than immediately on input. The platform's Content Security Policy partially mitigates the risk by blocking inline script execution, which prevents full XSS exploitation, but HTML tag injection itself remains effective for rendering phishing content, fake UI elements, or open redirect anchors.

RemediationAI

Upgrade Nozomi Networks Guardian and CMC to version 26.1.0 or later, which is the vendor-confirmed fix version per the advisory at https://security.nozominetworks.com/NN-2026:4-01. If immediate upgrade is not feasible, the most effective compensating control is to strictly limit administrative access to the Guardian and CMC Credentials Manager to the minimum number of trusted accounts, reducing the attack surface for credential compromise or malicious insider activity. Audit existing identity definitions in Credentials Manager for unexpected HTML tags or embedded links as an indicator of prior exploitation. Additionally, enforcing multi-factor authentication on administrative accounts would raise the bar for an attacker to reach the privilege level needed to plant the injection. Note that the existing CSP already prevents full XSS escalation, so no additional CSP tuning is required as a workaround - the residual risk is phishing and open redirect only.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2025-40901 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy