CVE-2025-40901 Overview
CVE-2025-40901 is a Stored HTML Injection vulnerability in the Credentials Manager functionality of Nozomi Networks CMC and Guardian products. The flaw stems from improper validation of an input parameter when defining an identity. An authenticated user with administrative privileges can craft a malicious identity name that contains HTML tags. When another user attempts to delete the affected identity, the injected HTML renders in their browser. This enables phishing and potential open redirect attacks against the victim. The existing input validation and Content Security Policy (CSP) configuration prevent full Cross-Site Scripting (XSS) exploitation and direct information disclosure.
Critical Impact
An authenticated administrator can inject persistent HTML into the Credentials Manager, rendering attacker-controlled content in other users' browsers during deletion workflows and enabling phishing or open redirect attacks.
Affected Products
- Nozomi Networks CMC (Central Management Console)
- Nozomi Networks Guardian
- Credentials Manager functionality across both products
Discovery Timeline
- 2026-05-19 - CVE-2025-40901 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2025-40901
Vulnerability Analysis
The vulnerability is classified under [CWE-79] Improper Neutralization of Input During Web Page Generation. It resides in the Credentials Manager component of Nozomi Networks CMC and Guardian. The application accepts identity names without sanitizing embedded HTML markup. Stored input is later rendered in the management interface during identity lifecycle operations.
Exploitation requires high privileges and user interaction, which limits the attack surface to scenarios involving multiple administrators. The injected payload executes within the trusted origin of the management console. CSP restrictions and existing validation logic prevent script execution, narrowing impact to HTML-based abuse such as fake login prompts or redirection links.
Root Cause
The Credentials Manager fails to neutralize HTML control characters in the identity name parameter before storing the value. When the deletion confirmation view renders the stored identity name, the browser interprets attacker-supplied tags as markup rather than text. The absence of contextual output encoding at the rendering layer is the underlying defect.
Attack Vector
The attack vector is network-based and requires an authenticated administrative session. An attacker first creates or modifies an identity entry, embedding HTML tags within the name field. The payload persists in the application's data store. A second administrator must subsequently initiate a delete action on the malicious identity for the payload to execute. The rendered HTML can present a phishing form, overlay misleading content, or redirect the victim to an external site.
No verified public proof-of-concept code is available for CVE-2025-40901. Refer to the Nozomi Networks Security Advisory for vendor-supplied technical details.
Detection Methods for CVE-2025-40901
Indicators of Compromise
- Identity records in the Credentials Manager containing HTML tags such as <a>, <img>, <form>, or <iframe> in the name field
- Audit log entries showing identity creation or modification by administrative accounts with unusual payload-like strings
- Browser-rendered phishing prompts or unexpected redirects appearing during identity deletion workflows
Detection Strategies
- Query the Credentials Manager backend for identity names containing angle brackets or HTML entity encodings
- Correlate administrative session activity with identity create, update, and delete events to identify suspicious sequences
- Inspect CSP violation reports for blocked inline content originating from the management console
Monitoring Recommendations
- Forward Nozomi CMC and Guardian audit logs to a centralized SIEM for retention and correlation
- Alert on administrative account changes to the Credentials Manager outside of approved change windows
- Monitor for repeated failed deletion attempts that may indicate payload tuning by an attacker
How to Mitigate CVE-2025-40901
Immediate Actions Required
- Apply the security update referenced in the Nozomi Networks Security Advisory NN-2026:4-01
- Review existing identity entries in the Credentials Manager and remove any records containing HTML markup
- Restrict administrative access to the Credentials Manager to a minimum set of trusted operators
- Enforce multi-administrator review for identity creation and modification
Patch Information
Nozomi Networks has published advisory NN-2026:4-01 detailing fixed versions for both CMC and Guardian. Administrators should consult the vendor advisory to identify the appropriate update for their deployment and apply it within their standard change management process.
Workarounds
- Limit Credentials Manager write access to a single administrative role until patches are deployed
- Manually validate identity names against an allowlist of alphanumeric characters before saving
- Train administrators to inspect identity entries before performing deletion actions in the management console
For configuration steps and fixed version details, refer directly to the Nozomi Networks Security Advisory.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
