EUVD-2025-209896
GHSA-9pfj-vxgx-63wq
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious restore schedule containing HTML tags. When a victim views the affected schedule, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
AnalysisAI
Stored HTML injection in Nozomi Networks Guardian and CMC's Schedule Restore Archive feature permits authenticated administrators to embed arbitrary HTML tags within restore schedule configurations. When any user views the poisoned schedule entry, the injected markup renders in their browser, enabling phishing lures and potential open redirect attacks against operators. Full JavaScript execution is blocked by the platform's existing Content Security Policy and server-side validation, and no public exploit has been identified at time of analysis; however, in OT/ICS environments where operator trust is high, even HTML-level injection can support targeted social engineering.
Technical ContextAI
Nozomi Networks Guardian and CMC (Central Management Console) are OT/IoT network visibility and security monitoring platforms widely deployed in critical infrastructure environments. The vulnerability resides in the Schedule Restore Archive feature, where a specific input parameter is insufficiently sanitized before being persisted and later rendered in the browser. CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause as a failure to neutralize user-controlled content prior to HTML rendering - a stored variant, meaning the payload persists server-side and executes for any subsequent viewer without further attacker interaction. CPE strings cpe:2.3:a:nozomi_networks:guardian:*:*:*:*:*:*:*:* and cpe:2.3:a:nozomi_networks:cmc:*:*:*:*:*:*:*:* confirm both product lines are affected across all versions prior to 26.1.0. Existing Content Security Policy headers prevent escalation to full script execution, confining the practical attack surface to HTML-level effects such as anchor tag injection, iframe embedding, and open redirect payloads.
RemediationAI
Upgrade Nozomi Networks Guardian and CMC to version 26.1.0 or later, which remediates the improper input validation in the Schedule Restore Archive functionality. The authoritative vendor advisory with upgrade guidance is available at https://security.nozominetworks.com/NN-2026:6-01. As an interim compensating control prior to patching, restrict administrative access to the minimum number of trusted personnel using role-based access controls, reducing the likelihood that a compromised admin account can inject content - note this does not eliminate the vulnerability but raises the bar for exploitation. Additionally, audit existing restore schedule configurations for unexpected HTML tags (anchor elements, iframes, meta refresh directives) to identify any prior injection attempts. Enabling alerting on administrative configuration changes in the schedule restore area can provide detection coverage while patches are applied.
Share
External POC / Exploit Code
Leaving vuln.today