CVE-2025-40898 is a path traversal vulnerability classified under CWE-22, discovered in the Import Arc data archive functionality of Nozomi Networks Guardian. The vulnerability arises due to insufficient validation of the input file path during the import process. An authenticated user with limited privileges can exploit this by uploading a specially crafted Arc data archive containing path traversal sequences (e.g., '../') that bypass directory restrictions. This allows the attacker to write arbitrary files outside the intended directory, potentially overwriting critical configuration files or placing malicious files that affect the device's operation and availability. The vulnerability does not require user interaction beyond the upload and does not require elevated privileges beyond authentication. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no attack prerequisites (AT:N), privileges required are low (PR:L), no user interaction (UI:N), and impacts both integrity and availability at a high level (VI:H, VA:H). No patches or exploits are currently publicly available, but the flaw presents a significant risk due to the potential for operational disruption or device compromise in industrial control environments where Nozomi Guardian is deployed.

For European organizations, especially those operating critical infrastructure such as energy, manufacturing, transportation, and utilities, this vulnerability poses a serious risk. Nozomi Networks Guardian is widely used for OT and ICS network monitoring and security, so exploitation could lead to unauthorized configuration changes, disabling of security monitoring, or denial of service conditions. This could result in operational downtime, safety incidents, or data integrity issues. The ability for a low-privileged authenticated user to write arbitrary files increases the attack surface and could facilitate further lateral movement or persistence within OT environments. Given the strategic importance of industrial sectors in Europe and the increasing targeting of OT systems by threat actors, the impact could be substantial if exploited.

1. Immediately restrict the ability to upload Arc data archives to only fully trusted and necessary users, minimizing the number of accounts with upload privileges. 2. Implement strict input validation and sanitization on the server side to detect and block path traversal sequences in uploaded archives. 3. Monitor file system changes on devices running Nozomi Guardian for unexpected or unauthorized file writes, especially outside designated import directories. 4. Employ network segmentation and access controls to limit exposure of the Guardian management interfaces. 5. Regularly audit user accounts and permissions to ensure least privilege principles are enforced. 6. Engage with Nozomi Networks for patches or updates addressing this vulnerability as soon as they become available. 7. Consider deploying application-layer firewalls or intrusion detection systems capable of detecting anomalous upload patterns or path traversal attempts. 8. Conduct security awareness training for administrators to recognize suspicious activities related to archive uploads.