Skip to main content

Nozomi Remote Collector CVE-2026-31985

| EUVDEUVD-2026-42535 HIGH
Lack of Administrator Control over Security (CWE-671)
2026-07-09 Nozomi GHSA-r8ph-vcp7-p3mx
8.3
CVSS 4.0 · Vendor: Nozomi
Share

Severity by source

Vendor (Nozomi) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.0 HIGH

AC:H because a man-in-the-middle position must be established; PR:N/UI:N as no Collector auth or user action is needed; impact is integrity-dominant (I:H) from data injection with lower C/A.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (Nozomi).

CVSS VectorVendor: Nozomi

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 09:02 EUVD
Analysis Generated
Jul 09, 2026 - 08:35 vuln.today

DescriptionCVE.org

When the upstream Guardian or CMC was configured in the Remote Collector via n2os-tui, the generated configuration disabled TLS certificate verification, and no option was provided to enable it. A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Remote Collector and the Guardian or CMC. This could result in theft of the sync token, impersonation of the server, injection of spoofed data (such as false asset information or vulnerabilities) into the Guardian or CMC, or disruption of the data flow between the Remote Collector and the Guardian or CMC.

AnalysisAI

Man-in-the-middle exposure in Nozomi Networks Remote Collector arises because configuring an upstream Guardian or CMC through the n2os-tui interface generates a configuration that disables TLS certificate verification, with no option to re-enable it. Any attacker positioned on the network path between the Remote Collector and its Guardian/CMC can intercept the channel to steal the sync token, impersonate the server, inject spoofed asset or vulnerability data, or disrupt telemetry flow. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain on-path position between Collector and Guardian
Delivery
Intercept TLS session lacking cert validation
Exploit
Impersonate Guardian/CMC server
Execution
Steal sync token
Impact
Inject spoofed asset/vulnerability data or drop telemetry

Vulnerability AssessmentAI

Exploitation Exploitation requires that the Remote Collector was set up with an upstream Guardian or CMC through the n2os-tui interface - that specific configuration path is what generates the TLS-verification-disabled config, and there is no operator option to enable verification. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 base score is 8.3 (High) with vector AV:N/AC:L/AT:P/PR:N/UI:N and impacts VC:L/VI:H/VA:L, meaning the standout risk is integrity (VI:H) - spoofed asset and vulnerability data injected into the monitoring backbone - rather than confidentiality or availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who gains a foothold on a network segment between the Remote Collector and the Guardian/CMC (e.g., via ARP spoofing, a rogue switch/router, or a compromised intermediate host) transparently intercepts the TLS session that skips certificate validation. Because the Collector accepts any presented certificate, the attacker impersonates the Guardian, harvests the sync token, and injects fabricated asset and vulnerability data - or drops legitimate telemetry - to poison the OT monitoring picture. …
Remediation Consult the Nozomi advisory at https://security.nozominetworks.com/NN-2026:12-01 and apply the vendor-provided fixed n2os release once its version is confirmed there; no exact fix version is included in the provided data, so treat the advisory as authoritative for the patched build. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Nozomi Remote Collector deployments; identify instances configured with Guardian or CMC upstreams; document network topology and access points between collectors and upstream systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-31985 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy