Description
A Stored HTML Injection vulnerability was discovered in the Asset List functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets to inject HTML tags into asset attributes. When a victim views the affected assets in the Asset List (and similar functions), the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Published: 2025-12-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored HTML Injection
Action: Upgrade
AI Analysis

Impact

A stored HTML injection flaw was identified in the Asset List component of Nozomi Networks' Guardian and CMC products. Input validation of network packet data fails to escape HTML characters, allowing an attacker to embed markup into asset attributes. When a victim views the affected assets in the Asset List or equivalent interfaces, the injected tags are rendered in the browser, enabling phishing or open‑redirect attacks. The description notes that full cross‑site scripting exploitation and direct information disclosure are mitigated by existing input checks and a Content Security Policy, but the ability to display arbitrary HTML remains a concern.

Affected Systems

All deployed instances of Nozomi Networks' CMC and Guardian products with versions prior to 25.5.0 are affected. No specific sub‑versions are listed, so any release before the 25.5.0 update should be considered vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. An EPSS score of less than 1% suggests a very low probability of exploitation at this time, and the vulnerability is not included in CISA's KEV catalog. The likely attack vector involves an unauthenticated attacker sending crafted network packets to the device, inferred from the description. The attacker can inject HTML into asset attributes but cannot achieve full XSS or direct data exfiltration due to defensive input validation and CSP settings. Nonetheless, the rendered malicious content in the Asset List can be used for phishing or to drive users to malicious destinations when they interact with the UI.

Generated by OpenCVE AI on April 20, 2026 at 16:34 UTC.

Remediation

Vendor Solution

Upgrade to v25.5.0 or later.

OpenCVE Recommended Actions

  • Apply the vendor-provided upgrade to version 25.5.0 or later for both CMC and Guardian.
  • Restrict inbound traffic that can modify asset data to only trusted sources; consider implementing firewall rules or traffic signing to block forged packets.
  • Review existing asset entries for embedded HTML and cleanse them if necessary before or after the upgrade.

Generated by OpenCVE AI on April 20, 2026 at 16:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Tue, 06 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Nozominetworks
Nozominetworks cmc
Nozominetworks guardian
CPEs cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:*
cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*
Vendors & Products Nozominetworks
Nozominetworks cmc
Nozominetworks guardian

Thu, 18 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 13:30:00 +0000

Type Values Removed Values Added
Description A Stored HTML Injection vulnerability was discovered in the Asset List functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets to inject HTML tags into asset attributes. When a victim views the affected assets in the Asset List (and similar functions), the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Title HTML injection in Asset List in Guardian/CMC before 25.5.0
First Time appeared Nozomi Networks
Nozomi Networks cmc
Nozomi Networks guardian
Weaknesses CWE-79
CPEs cpe:2.3:a:nozomi_networks:cmc:*:*:*:*:*:*:*:*
cpe:2.3:a:nozomi_networks:guardian:*:*:*:*:*:*:*:*
Vendors & Products Nozomi Networks
Nozomi Networks cmc
Nozomi Networks guardian
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Nozomi Networks Cmc Guardian
Nozominetworks Cmc Guardian
cve-icon MITRE

Status: PUBLISHED

Assigner: Nozomi

Published:

Updated: 2026-04-14T08:58:10.756Z

Reserved: 2025-04-16T09:04:25.007Z

Link: CVE-2025-40893

cve-icon Vulnrichment

Updated: 2025-12-18T14:20:57.051Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T14:15:59.620

Modified: 2026-04-14T10:16:27.247

Link: CVE-2025-40893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:45:11Z

Weaknesses