CVE-2025-40892
📋 TL;DR
A stored XSS vulnerability in the Reports functionality allows authenticated users with report privileges to inject malicious JavaScript into reports. When victims view or import these reports, the attacker can execute arbitrary actions in the victim's browser context, potentially compromising their account and application data. This affects all users of the vulnerable software who have access to the Reports feature.
💻 Affected Systems
- Nozomi Networks Guardian/CMC
📦 What is this software?
Cmc by Nozominetworks
Guardian by Nozominetworks
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full administrative control over the application, modifies critical data, disrupts availability, and exfiltrates sensitive information from all user accounts.
Likely Case
Attackers compromise individual user accounts to steal session tokens, modify application data, and perform unauthorized actions within the victim's privilege level.
If Mitigated
Limited impact due to proper input validation, output encoding, and Content Security Policy preventing script execution.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once access is obtained. Social engineering can be used to trick users into importing malicious reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.2.3 and later
Vendor Advisory: https://security.nozominetworks.com/NN-2025:13-01
Restart Required: Yes
Instructions:
1. Download Nozomi Networks Guardian/CMC version 24.2.3 or later from the official portal. 2. Backup current configuration and data. 3. Apply the update following the vendor's upgrade documentation. 4. Restart the application/services as required.
🔧 Temporary Workarounds
Restrict Report Creation Privileges
allLimit report creation and import capabilities to only trusted administrators until patching is complete.
Implement Content Security Policy
allDeploy a strict Content Security Policy header to prevent inline script execution and restrict script sources.
Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all report-related parameters
- Monitor and audit report creation/import activities for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check if your Nozomi Networks Guardian/CMC version is below 24.2.3 in the administration interface.Check Version:
Check via web interface: Admin > System > About, or via CLI: show versionVerify Fix Applied:
After updating to 24.2.3 or later, verify the version in the administration interface and test report creation/import with script payloads to confirm they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual report creation patterns
- Multiple failed import attempts
- Reports with suspicious content like JavaScript tags
Network Indicators:
- Unexpected outbound connections from the application server following report views
SIEM Query:
source="nozomi_logs" AND (event_type="report_creation" OR event_type="report_import") AND (content CONTAINS "<script>" OR content CONTAINS "javascript:")