CVE-2025-40891 is a stored HTML injection vulnerability classified under CWE-79, affecting Nozomi Networks Guardian, specifically its Time Machine Snapshot Diff functionality. The vulnerability arises from improper validation of network traffic data, allowing an unauthenticated attacker to inject malicious HTML tags into asset attributes across two snapshots by sending specially crafted network packets at two distinct times. The injection is stored and only rendered when a user accesses the Snapshot Diff feature and performs specific GUI interactions, which triggers the display of the injected HTML in the victim's browser. This scenario can facilitate phishing attacks and open redirect exploits by manipulating the rendered HTML content. However, the vulnerability does not allow full cross-site scripting exploitation due to existing input validation mechanisms and a Content Security Policy that restricts script execution. The attack complexity is high because it requires precise timing of packet injection and user interaction with the GUI, and no privileges or authentication are needed to send the malicious packets. The vulnerability has a CVSS 4.0 base score of 2.3, indicating low severity, primarily because the impact on confidentiality, integrity, and availability is limited, and exploitation requires user interaction and specific conditions. No known exploits have been reported in the wild, and no patches have been linked yet. This vulnerability highlights the risk of insufficient input sanitization in network traffic processing and the importance of secure handling of stored data in web interfaces.

For European organizations using Nozomi Networks Guardian, particularly those relying on the Time Machine Snapshot Diff feature for network monitoring and asset management, this vulnerability poses a moderate risk. Although the CVSS score is low, the ability for an unauthenticated attacker to inject HTML that can be rendered in an administrator’s or analyst’s browser could lead to targeted phishing or redirection attacks within the corporate network. This could potentially facilitate credential theft or session hijacking if combined with other vulnerabilities or social engineering. The impact on operational technology (OT) and industrial control systems (ICS) environments, where Nozomi Networks Guardian is often deployed, could be significant if attackers leverage this to disrupt monitoring or gain footholds. However, the high attack complexity and requirement for user interaction limit widespread exploitation. European entities in critical infrastructure sectors such as energy, manufacturing, and transportation that use this product should be particularly vigilant, as attackers may attempt to exploit this vector to gain initial access or escalate privileges within sensitive environments.

Organizations should implement the following specific mitigations: 1) Monitor Nozomi Networks communications for official patches or updates addressing this vulnerability and apply them promptly once available. 2) Restrict access to the Time Machine Snapshot Diff feature to trusted users only, minimizing exposure to potentially malicious snapshots. 3) Educate users and administrators on the risks of interacting with untrusted snapshots and the importance of cautious GUI interactions within the product. 4) Employ network-level filtering to detect and block suspicious or anomalous network packets that could be used to inject malicious content. 5) Review and enhance internal Content Security Policies and input validation mechanisms where possible to further reduce the risk of HTML injection. 6) Conduct regular security audits and penetration testing focused on web interface vulnerabilities in OT/ICS monitoring tools. 7) Implement strict role-based access controls and logging to detect unusual activities related to snapshot viewing and manipulation. These measures go beyond generic advice by focusing on the specific attack vector and operational context of the vulnerability.