CVE-2025-40891
📋 TL;DR
A stored HTML injection vulnerability in Time Machine Snapshot Diff functionality allows unauthenticated attackers to inject HTML tags into asset attributes across two snapshots. When victims use the Time Machine Snapshot Diff feature on those specific snapshots and perform specific GUI actions, the injected HTML renders in their browser, enabling phishing and open redirect attacks. Full XSS exploitation is prevented by input validation and Content Security Policy.
💻 Affected Systems
- Nozomi Networks products with Time Machine Snapshot Diff functionality
📦 What is this software?
Cmc by Nozominetworks
Guardian by Nozominetworks
⚠️ Risk & Real-World Impact
Worst Case
Successful phishing attacks leading to credential theft or open redirects to malicious sites
Likely Case
Limited phishing attempts or redirects due to high attack complexity and multiple required conditions
If Mitigated
No impact due to Content Security Policy preventing script execution
🎯 Exploit Status
Exploitation requires: 1) attacker sends crafted packets at two different times, 2) victim uses Time Machine Snapshot Diff on those specific snapshots, 3) victim performs specific GUI actions
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://security.nozominetworks.com/NN-2025:12-01
Restart Required: Yes
Instructions:
1. Review vendor advisory at provided URL. 2. Identify affected version. 3. Apply vendor-recommended patch/update. 4. Restart affected services/systems. 5. Verify fix implementation.
🔧 Temporary Workarounds
Disable Time Machine Snapshot Diff
allTemporarily disable the vulnerable feature until patching
Consult Nozomi Networks documentation for feature disable commands
Restrict network access
allLimit network access to systems running vulnerable software
Configure firewall rules to restrict inbound traffic to trusted sources only
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to vulnerable systems
- Monitor for unusual network traffic patterns and Time Machine Snapshot Diff usage
🔍 How to Verify
Check if Vulnerable:
Check if running affected Nozomi Networks software version with Time Machine Snapshot Diff enabledCheck Version:
Consult Nozomi Networks documentation for version check commands specific to your deploymentVerify Fix Applied:
Verify software version is updated to patched version per vendor advisory📡 Detection & Monitoring
Log Indicators:
- Unusual network traffic patterns to Time Machine systems
- Multiple snapshot diff operations on unusual timeframes
Network Indicators:
- Crafted network packets targeting Time Machine functionality
- Unusual traffic between snapshots
SIEM Query:
Search for: 'Time Machine Snapshot Diff' AND ('unusual activity' OR 'multiple requests' OR 'crafted packets')