CVE-2025-40891 is a stored HTML injection vulnerability categorized under CWE-79, affecting the Time Machine Snapshot Diff functionality of Nozomi Networks Guardian. The vulnerability arises from improper validation of network traffic data, allowing an unauthenticated attacker to send specially crafted network packets at two distinct times. These packets inject malicious HTML tags into asset attributes stored within two different snapshots. When a user subsequently accesses the Time Machine Snapshot Diff feature and performs specific GUI actions on these snapshots, the injected HTML is rendered in the user's browser. This rendering can facilitate phishing attacks or open redirect scenarios by manipulating the displayed content. However, the vulnerability does not allow full cross-site scripting exploitation due to existing input validation and a Content Security Policy that restricts script execution. The attack complexity is high because it requires precise timing of packet injection and user interaction with the GUI to trigger the payload. No authentication is needed to inject the malicious packets, but user interaction is required to activate the exploit. The vulnerability has a CVSS 4.0 base score of 2.3, indicating low severity, primarily due to the high complexity and limited impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild, and no patches or mitigations have been published at this time.

For European organizations deploying Nozomi Networks Guardian, particularly those relying on the Time Machine Snapshot Diff feature for network monitoring and asset management, this vulnerability poses a risk of targeted phishing and open redirect attacks. While the direct impact on system confidentiality, integrity, and availability is limited, successful exploitation could lead to user deception, credential theft, or redirection to malicious sites, potentially compromising user trust and operational security. The requirement for user interaction and specific GUI actions reduces the likelihood of widespread exploitation but does not eliminate the risk in environments where multiple users access snapshot diffs. Organizations in critical infrastructure sectors or those with high reliance on Guardian for operational technology (OT) security monitoring may face increased risk due to the strategic importance of their assets and the potential for social engineering attacks leveraging this vulnerability. The lack of known exploits in the wild suggests limited current threat activity, but the vulnerability should be addressed proactively to prevent future exploitation.

European organizations should implement the following specific mitigations: 1) Restrict access to the Time Machine Snapshot Diff feature to trusted users only, minimizing exposure to untrusted or unauthenticated network traffic. 2) Monitor network traffic for unusual or suspicious packet patterns that could indicate attempts to inject malicious HTML tags. 3) Educate users on the risks of interacting with snapshot diffs from unverified sources and encourage cautious behavior when performing GUI actions on snapshots. 4) Employ network segmentation and strict firewall rules to limit exposure of Nozomi Guardian interfaces to untrusted networks. 5) Regularly review and apply any vendor-provided updates or patches as they become available, and engage with Nozomi Networks support to obtain guidance on remediation. 6) Consider implementing additional Content Security Policy (CSP) enhancements or browser security configurations to further restrict the execution of injected content. 7) Conduct periodic security assessments and penetration tests focusing on the Guardian deployment to identify and remediate similar injection vectors.