Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H because a man-in-the-middle position must be established; PR:N/UI:N as no Collector auth or user action is needed; impact is integrity-dominant (I:H) from data injection with lower C/A.
Primary rating from Vendor (Nozomi).
CVSS VectorVendor: Nozomi
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
When the upstream Guardian or CMC was configured in the Remote Collector via n2os-tui, the generated configuration disabled TLS certificate verification, and no option was provided to enable it. A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Remote Collector and the Guardian or CMC. This could result in theft of the sync token, impersonation of the server, injection of spoofed data (such as false asset information or vulnerabilities) into the Guardian or CMC, or disruption of the data flow between the Remote Collector and the Guardian or CMC.
AnalysisAI
Man-in-the-middle exposure in Nozomi Networks Remote Collector arises because configuring an upstream Guardian or CMC through the n2os-tui interface generates a configuration that disables TLS certificate verification, with no option to re-enable it. Any attacker positioned on the network path between the Remote Collector and its Guardian/CMC can intercept the channel to steal the sync token, impersonate the server, inject spoofed asset or vulnerability data, or disrupt telemetry flow. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the Remote Collector was set up with an upstream Guardian or CMC through the n2os-tui interface - that specific configuration path is what generates the TLS-verification-disabled config, and there is no operator option to enable verification. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 base score is 8.3 (High) with vector AV:N/AC:L/AT:P/PR:N/UI:N and impacts VC:L/VI:H/VA:L, meaning the standout risk is integrity (VI:H) - spoofed asset and vulnerability data injected into the monitoring backbone - rather than confidentiality or availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who gains a foothold on a network segment between the Remote Collector and the Guardian/CMC (e.g., via ARP spoofing, a rogue switch/router, or a compromised intermediate host) transparently intercepts the TLS session that skips certificate validation. Because the Collector accepts any presented certificate, the attacker impersonates the Guardian, harvests the sync token, and injects fabricated asset and vulnerability data - or drops legitimate telemetry - to poison the OT monitoring picture. … |
| Remediation | Consult the Nozomi advisory at https://security.nozominetworks.com/NN-2026:12-01 and apply the vendor-provided fixed n2os release once its version is confirmed there; no exact fix version is included in the provided data, so treat the advisory as authoritative for the patched build. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Nozomi Remote Collector deployments; identify instances configured with Guardian or CMC upstreams; document network topology and access points between collectors and upstream systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Remote Collector
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42535
GHSA-r8ph-vcp7-p3mx