CVE-2025-40900 Overview
CVE-2025-40900 is an Angular template injection vulnerability in the Reports functionality of Nozomi Networks CMC and Guardian products. The flaw stems from improper validation of an input parameter [CWE-1336]. An authenticated user with report privileges can craft a malicious report containing an Angular template payload. Alternatively, a victim can be socially engineered into importing a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context. The attacker can then modify application data or disrupt application availability.
Critical Impact
Authenticated attackers can inject Angular templates that execute in a victim's browser, enabling limited integrity and availability impact within the Reports interface.
Affected Products
- Nozomi Networks CMC (Central Management Console)
- Nozomi Networks Guardian
- Reports functionality component
Discovery Timeline
- 2026-05-19 - CVE-2025-40900 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2025-40900
Vulnerability Analysis
The vulnerability resides in the Reports functionality of Nozomi Networks CMC and Guardian. The application fails to properly validate an input parameter that flows into an Angular template expression. Angular evaluates the expression on the client side when a user views or imports the report. This results in a server-side template injection variant executed in the victim's browser context [CWE-1336].
The attack requires an authenticated user with report privileges to create the malicious payload. Alternatively, an unauthenticated attacker can socially engineer a privileged victim into importing a tampered report template file. Execution occurs whenever the victim renders the report through the standard reporting interface.
Impact is constrained by two existing controls. Input validation reduces the range of accepted expressions, and the Content Security Policy (CSP) configuration blocks full cross-site scripting (XSS) escalation and direct exfiltration of sensitive data. The residual risk covers modification of application data presented by the report engine and disruption of application availability.
Root Cause
The root cause is inclusion of untrusted user input inside an Angular template context without escaping framework-specific syntax. The Reports component treats input as trusted template fragments rather than literal data, which allows Angular's expression parser to execute attacker-controlled directives.
Attack Vector
Exploitation is network-based and requires user interaction. A privileged attacker stores a malicious report in the application. A second authenticated user with permission to view or import that report triggers expression evaluation in their browser. No additional authentication prompts occur between report viewing and template execution.
No verified proof-of-concept exploit code is published. See the Nozomi Networks Security Advisory NN-2026:3-01 for vendor technical details.
Detection Methods for CVE-2025-40900
Indicators of Compromise
- Report objects containing Angular expression syntax such as double curly brace delimiters or ng- directives inside user-controlled fields.
- Unexpected modifications to report metadata or rendered report content visible to multiple users.
- Imports of report template files originating from unverified external sources or email attachments.
Detection Strategies
- Inspect stored report definitions in CMC and Guardian for template expression characters in fields that should contain plain text.
- Review audit logs for report creation, modification, and import events performed by accounts with report privileges.
- Correlate report view events with subsequent unexpected client-side errors or CSP violation reports from administrator browsers.
Monitoring Recommendations
- Enable browser CSP violation reporting endpoints and forward events to a centralized log store for analysis.
- Alert on report import operations performed outside change-control windows or by accounts that do not normally manage reports.
- Track user-agent and source IP for sessions that create or modify reports, focusing on deviations from baseline administrator activity.
How to Mitigate CVE-2025-40900
Immediate Actions Required
- Apply the fixed version of Nozomi Networks CMC and Guardian as published in the vendor advisory NN-2026:3-01.
- Restrict the report privilege role to a minimal set of trusted administrators until patching completes.
- Audit existing stored reports and remove any that contain Angular expression syntax in unexpected fields.
Patch Information
Nozomi Networks has issued remediation guidance in Security Advisory NN-2026:3-01. Administrators should review the advisory for the specific fixed product versions and upgrade paths for CMC and Guardian deployments.
Workarounds
- Instruct users to refuse imports of report templates received from external or untrusted parties.
- Limit accounts holding the report management privilege and require multi-factor authentication for those accounts.
- Validate the existing Content Security Policy configuration remains enforced, since it limits exploitation impact to data modification and availability disruption.
# Example: list users with report privileges for review
# Replace with the actual administrative CLI or API call for your CMC/Guardian deployment
curl -sk -H "Authorization: Bearer $TOKEN" \
https://<cmc-host>/api/v1/users?role=report_manager
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
