CVE-2025-40898 is a path traversal vulnerability identified in the Import Arc data archive feature of Nozomi Networks Guardian, a security product designed for operational technology (OT) and industrial control system (ICS) environments. The vulnerability arises due to improper validation of the input file path when importing Arc data archives. An authenticated user with limited privileges can craft a malicious archive file that, when imported, allows writing arbitrary files to arbitrary locations on the device's file system. This can lead to unauthorized modification of critical device configuration files or disruption of device availability by overwriting or deleting essential files. The vulnerability does not require user interaction beyond the initial upload and can be exploited remotely over the network, as indicated by the CVSS vector (AV:N/AC:L/PR:L/UI:N). The integrity and availability impacts are rated high, while confidentiality impact is none, reflecting the ability to alter system behavior or cause denial of service without leaking sensitive information. Nozomi Networks has not yet released a patch, and no public exploits have been reported. The vulnerability was reserved in April 2025 and published in December 2025, indicating a recent discovery. Given the critical role of Nozomi Guardian in monitoring and protecting OT environments, exploitation could have serious operational consequences.

For European organizations, especially those operating critical infrastructure such as energy, manufacturing, transportation, and utilities, this vulnerability poses a significant risk. Nozomi Networks Guardian is widely used in OT and ICS environments to provide visibility and security monitoring. Successful exploitation could allow an attacker with limited access to escalate their impact by modifying device configurations or causing service disruptions, potentially leading to operational downtime, safety hazards, or cascading failures in industrial processes. The ability to write arbitrary files could also facilitate persistence or further compromise within OT networks. Given the increasing regulatory focus on cybersecurity in critical sectors across Europe, exploitation could also result in compliance violations and reputational damage. The lack of known exploits in the wild provides a window for proactive mitigation, but the high severity score underscores the urgency of addressing the vulnerability.

1. Immediately restrict access to the Import Arc data archive functionality to only highly trusted and necessary users, minimizing the attack surface. 2. Implement strict role-based access controls (RBAC) and monitor user activities related to archive imports. 3. Employ network segmentation to isolate Nozomi Guardian devices from less trusted network zones, reducing exposure. 4. Monitor file system integrity on Guardian devices using host-based intrusion detection systems (HIDS) to detect unauthorized file writes or configuration changes. 5. Validate and sanitize all imported archive contents manually or via automated scripts before import, if possible, to detect malicious payloads. 6. Coordinate with Nozomi Networks for timely patch deployment once an official fix is released. 7. Maintain up-to-date backups of device configurations to enable rapid recovery in case of compromise. 8. Conduct regular security audits and penetration testing focusing on OT environment access controls and import functionalities. 9. Educate users with import privileges about the risks and signs of exploitation attempts. 10. Consider deploying application whitelisting or sandboxing techniques on Guardian devices to limit the impact of arbitrary file writes.