CVE-2025-40893 is a Stored HTML Injection vulnerability classified under CWE-79, affecting Nozomi Networks Guardian, a product widely used for operational technology (OT) and industrial control system (ICS) security monitoring. The vulnerability exists in the Asset List functionality, where network traffic data is improperly validated before being incorporated into asset attributes displayed in the user interface. An unauthenticated attacker can craft malicious network packets that embed HTML tags into these attributes. When a legitimate user accesses the Asset List or similar views, the injected HTML is rendered by the browser. This can facilitate phishing attacks by displaying deceptive content or enable open redirect attacks by manipulating links. Despite these risks, the vulnerability is partially mitigated by existing input validation and a Content Security Policy (CSP) that restricts script execution, preventing full cross-site scripting (XSS) exploitation and direct data leakage. The CVSS 4.0 base score is 5.3 (medium), reflecting network attack vector, no privileges required, no authentication, user interaction needed, and limited impact on confidentiality and integrity. No patches or exploits are currently reported, but the vulnerability's presence in a critical security monitoring tool raises concerns about potential targeted attacks in industrial environments.

For European organizations, especially those operating critical infrastructure such as energy, manufacturing, and transportation sectors where Nozomi Networks Guardian is deployed, this vulnerability poses a risk of social engineering attacks via phishing and redirection. Successful exploitation could lead to compromised user trust, credential theft, or redirection to malicious sites, potentially enabling further attacks on OT environments. Although direct data exfiltration or system compromise is unlikely due to mitigations, the ability to inject HTML content undermines the integrity of the monitoring interface and could facilitate multi-stage attacks. Disruption or manipulation of security monitoring tools can delay incident detection and response, increasing the risk of operational impact. The vulnerability's unauthenticated nature and network-based exploitation vector increase its attractiveness to attackers targeting European critical infrastructure organizations.

Organizations should immediately review and apply any available patches or updates from Nozomi Networks once released. In the absence of patches, implement network-level filtering to block suspicious or malformed packets that could carry malicious payloads targeting the Asset List functionality. Enhance monitoring for unusual asset attribute changes or unexpected HTML content in the Guardian interface. Strengthen Content Security Policy configurations to further restrict allowed content sources and script execution. Educate users to recognize phishing attempts and suspicious redirects originating from the Guardian interface. Consider isolating the Guardian management interface to trusted networks and restrict access to authorized personnel only. Regularly audit and sanitize input sources feeding into the Asset List to prevent injection of malicious data. Collaborate with Nozomi Networks support for guidance on temporary workarounds or configuration changes that reduce exposure.