PatchSiren cyber security CVE debrief
CVE-2025-40901 Nozomi Networks CVE debrief
CVE-2025-40901 is a stored HTML injection issue in Nozomi Networks Credentials Manager. According to the CVE record, an authenticated user with administrative privileges can define a malicious identity containing HTML tags, and when another user attempts to delete that identity, the injected HTML is rendered in the browser. The stated impact is primarily phishing risk and possible open redirect behavior; the record also notes that full XSS exploitation and direct information disclosure are prevented by existing input validation and Content Security Policy controls.
- Vendor
- Nozomi Networks
- Product
- Guardian
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
Security teams and administrators running Nozomi Networks CMC or Guardian versions earlier than 26.1.0, especially environments where multiple trusted users can manage or delete identities in Credentials Manager.
Technical summary
The NVD record classifies this as CWE-79 and gives it a CVSS v4.0 vector of AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L. The vulnerable CPE criteria in the CVE metadata cover nozominetworks:cmc and nozominetworks:guardian up to, but not including, version 26.1.0. The flaw is described as stored HTML injection caused by insufficient validation of an input parameter: an admin can store HTML in an identity value, and the browser renders that content during the delete workflow for another user.
Defensive priority
Medium. The issue requires administrative privileges and user interaction, and the vendor/CVE summary indicates that existing validation and CSP reduce the chance of full XSS or information disclosure. Even so, the browser-rendered HTML can still support phishing or redirect abuse in administrative workflows, so patching should be prioritized for any deployed affected version.
Recommended defensive actions
- Upgrade Nozomi Networks CMC and Guardian to version 26.1.0 or later.
- Review and limit who has administrative access to Credentials Manager.
- Treat unexpected HTML or formatting in identity names as suspicious and investigate before deletion.
- Follow the vendor advisory guidance in NN-2026:4-01 for any product-specific remediation steps.
Evidence notes
This debrief is based on the official CVE/NVD metadata supplied in the source corpus. NVD marks the record as analyzed and references a Nozomi Networks vendor advisory. The CVE description states stored HTML injection in Credentials Manager, admin privilege requirement, browser rendering on identity deletion, and reduced impact due to input validation and CSP. The vulnerable product criteria list CMC and Guardian versions earlier than 26.1.0. Published and modified timestamps in the corpus are 2026-05-19T14:16:27.767Z and 2026-05-19T17:47:05.813Z, respectively.
Official resources
-
CVE-2025-40901 CVE record
CVE.org
-
CVE-2025-40901 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed in the official CVE/NVD record on 2026-05-19, with the same-day NVD modification timestamp reflected in the supplied timeline. The corpus also cites a Nozomi Networks vendor advisory (NN-2026:4-01) as the primary vendor参考