CVE-2025-40902 Nozomi Networks CVE debrief

Who should care

Administrators and operators of Nozomi Networks CMC or Guardian deployments, especially environments that allow privileged users to manage accounts and groups. Security teams should also care if the product is exposed to multiple admin users or shared operational workflows where one user can influence another user’s browser session.

Technical summary

NVD lists the issue as affecting Nozomi Networks CMC and Guardian versions earlier than 26.1.0. The vulnerability is associated with CWE-79 and a CVSS 4.0 vector reflecting network access, high privileges required, partial user interaction, and limited integrity/confidentiality impact. The stored payload is entered through the Users functionality and later rendered during a group-deletion workflow, creating a server-side persistence plus client-side rendering problem. The vendor advisory reference in NVD indicates that validation and CSP are in place, which appears to constrain the issue to stored HTML injection rather than broad script execution.

Defensive priority

Medium priority. The condition requires high privileges and user interaction, and the vendor notes partial mitigation through validation and CSP, but the vulnerability still enables convincing browser-based abuse in administrative workflows. Upgrade planning should be prioritized for environments where multiple administrators or helpdesk-style group management is common.

Recommended defensive actions

• Upgrade Nozomi Networks CMC and Guardian to version 26.1.0 or later, as NVD marks versions before 26.1.0 as vulnerable.
• Review any administrative workflows that create or edit usernames and ensure server-side output encoding is enforced everywhere usernames are displayed.
• Validate that browser-side protections such as Content Security Policy remain enabled and are not relaxed in deployed instances.
• Audit existing user accounts for unexpected HTML-like content in usernames and remove or rename suspicious entries using a safe administrative procedure.
• Check logs and change history for unusual account creation activity by privileged users, especially around group and user management actions.
• Inform administrators that this issue can be used for phishing or redirect-style abuse even if it is not a full script-execution bug.

Evidence notes

The CVE description states this is a stored HTML injection in Users functionality caused by improper validation of an input parameter. It also states that an authenticated user with administrative privileges can create a malicious user whose username contains HTML tags, and that the payload renders when a victim deletes a group containing the affected user. The description further notes that full XSS exploitation and direct information disclosure are prevented by existing input validation and Content Security Policy. NVD maps the issue to CWE-79, lists affected CPEs for Nozomi Networks CMC and Guardian, and shows versions before 26.1.0 as vulnerable. Published and modified timestamps supplied in the record are 2026-05-19.

Official resources