CVE-2025-40895 is a stored HTML injection vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) affecting Nozomi Networks CMC, specifically its Sensor Map functionality. The issue arises from insufficient validation of properties on connected Guardians, which are components integrated with the CMC platform. An attacker with administrator privileges on a Guardian can manipulate its properties to inject arbitrary HTML code. When a user of the CMC interacts with the Sensor Map, this injected HTML is rendered in their browser. This could facilitate phishing attacks by displaying deceptive content or enable open redirect attacks by manipulating links. Despite this, the vulnerability does not allow full cross-site scripting exploitation or direct data disclosure due to existing input validation measures and a Content Security Policy that restricts script execution and resource loading. The attack vector requires the attacker to have high privileges (administrator on a Guardian) and requires user interaction (the victim must interact with the Sensor Map). The CVSS 4.0 vector indicates network attack vector, low attack complexity, partial authentication required, high privileges, partial user interaction, no confidentiality or availability impact, low integrity impact, and limited scope. No patches or known exploits are currently documented, and the vulnerability was published in March 2026.

The impact of this vulnerability is relatively limited due to several mitigating factors. The requirement for an attacker to have administrator privileges on a Guardian restricts the pool of potential attackers to trusted insiders or compromised accounts with elevated rights. The necessity for user interaction (engaging with the Sensor Map) further reduces the likelihood of exploitation. Potential impacts include phishing attacks or open redirect scenarios that could deceive users into divulging sensitive information or visiting malicious sites. However, the inability to execute full cross-site scripting or directly disclose information limits the severity. For organizations relying on Nozomi Networks CMC in critical infrastructure or industrial control environments, even low-severity vulnerabilities warrant attention due to the sensitive nature of these deployments. Attackers exploiting this vulnerability could undermine user trust or attempt lateral movement by leveraging social engineering facilitated through the injected HTML.

To mitigate this vulnerability, organizations should first ensure strict access control and monitoring of administrator privileges on Guardians connected to the CMC. Limit the number of users with such high-level access and enforce strong authentication mechanisms, including multi-factor authentication. Regularly audit Guardian property changes to detect unauthorized or suspicious modifications. Disable the Sensor Map functionality if it is not essential to reduce the attack surface. Implement additional input validation and sanitization on the server side for all properties that can be edited by administrators to prevent injection of HTML or script content. Review and strengthen Content Security Policy configurations to further restrict the execution of injected content. Stay informed about vendor patches or updates addressing this vulnerability and apply them promptly once available. Conduct user awareness training to recognize phishing attempts that might arise from this vulnerability. Finally, consider network segmentation to isolate CMC components and reduce the impact of compromised credentials.