CVE-2026-44925 Veritas CVE debrief

Who should care

Administrators and security teams responsible for InfoScale / VIOM management interfaces, especially environments where the web console is reachable from user networks or the internet. Teams that rely on active browser sessions for admin workflows should also care, since CSRF risk increases when authenticated sessions can be abused to submit state-changing actions.

Technical summary

The supplied CVE record describes a CSRF weakness in InfoScale v9.1.3 Operations Manager (VIOM). In practice, this means a malicious page or link could cause a browser that already has a valid session to submit unintended state-changing requests to the VIOM web application. NVD maps the weakness to CWE-352 and lists CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H in the provided metadata. The source bundle also includes vendor support bulletin references for the VIOM web application.

Defensive priority

High. This is a web-management flaw with the potential for unauthorized configuration changes, and the supplied CVSS score is 8.8 (High). Prioritize validation of remediation guidance for any exposed VIOM instances and review access controls around the management UI.

Recommended defensive actions

• Review the vendor security bulletins referenced in the CVE record for the specific VIOM remediation steps and any fixed releases or mitigations.
• Restrict access to the VIOM management interface to trusted administrative networks, VPNs, or jump hosts only.
• Verify that CSRF protections are present and working on all state-changing VIOM requests, including anti-CSRF tokens and origin/referrer checks where applicable.
• Require reauthentication or step-up controls for sensitive administrative actions in the management console.
• Audit VIOM logs for unexpected configuration changes, especially actions that do not align with known administrator activity.
• If the product is internet-reachable or broadly reachable inside the enterprise, prioritize segmentation and exposure reduction until remediation is confirmed.

Evidence notes

The description, title, and NVD weakness mapping all point to a CSRF problem in InfoScale Operations Manager (VIOM), with CWE-352 listed in the supplied metadata. NVD’s record status is shown as 'Awaiting Analysis' in the provided source item, and the source bundle includes two official support references: an InfoScale/Cloud support bulletin and a Veritas support document. The supplied record does not include CPE criteria, and no KEV entry is present in the timeline/enrichment fields. The source bundle’s vendor attribution is marked low confidence/needs review, but the CVE title and official references identify the affected product family.

Official resources