CVE-2025-40902: Nozomi Networks CMC XSS Vulnerability

CVE-2025-40902 Overview

CVE-2025-40902 is a stored HTML injection vulnerability in the Users functionality of Nozomi Networks CMC and Guardian products. The flaw stems from improper validation of an input parameter accepted during user creation. An authenticated administrator can create a user whose username contains HTML tags. The injected markup renders in another user's browser when that user attempts to delete a group containing the malicious account. The rendered content enables phishing and possible open redirect attacks against operators of the affected platforms. Existing input validation and Content Security Policy controls prevent full cross-site scripting and direct information disclosure. The weakness is tracked as CWE-79.

Critical Impact

Authenticated administrators can inject persistent HTML that renders in other operators' browsers, enabling phishing and open redirect attacks against Nozomi CMC and Guardian users.

Affected Products

• Nozomi Networks CMC (Central Management Console)
• Nozomi Networks Guardian
• See vendor advisory NN-2026:5-01 for fixed versions

Discovery Timeline

• 2026-05-19 - CVE-2025-40902 published to NVD
• 2026-05-19 - Last updated in NVD database

Technical Details for CVE-2025-40902

Vulnerability Analysis

The vulnerability resides in the Users management feature of Nozomi Networks CMC and Guardian. The application accepts a username field without stripping or encoding HTML markup. The unsanitized value is stored server-side and later rendered in the administrative interface. When a different operator initiates the deletion of a group containing the malicious user, the browser parses the injected tags as markup rather than text. The attacker controls a portion of the rendered page during a routine administrative workflow.

The attack requires authenticated access with administrative privileges to create users, and victim interaction with the group deletion workflow. Existing Content Security Policy directives block script execution, which prevents the issue from escalating to full XSS or session theft. The residual risk is rendered hyperlinks, fake login prompts, and tag-based redirects that can be used for phishing within a trusted operational technology console.

Root Cause

The root cause is missing output encoding and insufficient input validation on the username parameter. The Users functionality stores attacker-supplied HTML verbatim and emits it into the DOM during the group deletion confirmation flow. This pattern matches the classic stored cross-site scripting weakness class described in CWE-79, reduced in impact by the platform's CSP.

Attack Vector

An authenticated attacker with administrative rights creates a user account whose username field contains HTML elements such as anchor or image tags. The payload persists in the user database. When a second administrator opens the deletion dialog for a group containing the crafted user, the browser renders the injected markup. The victim sees attacker-controlled content inside a trusted management console, which lends credibility to phishing links or spoofed UI elements pointing to external sites.

No verified public exploit code is available. The vulnerability is described in prose in the Nozomi Networks Security Advisory.

Detection Methods for CVE-2025-40902

Indicators of Compromise

• User accounts whose username fields contain HTML characters such as <, >, ", ', or full tags like <a>, <img>, or <iframe>.
• Audit log entries showing user creation events originating from administrative accounts with non-standard username payloads.
• Outbound browser requests from operator workstations to unexpected external domains immediately after group management operations.

Detection Strategies

• Query the CMC and Guardian user inventory for username values that fail a strict alphanumeric and punctuation allowlist.
• Correlate user creation API calls with subsequent group deletion events to identify the conditions required for payload rendering.
• Inspect browser CSP violation reports generated by operator sessions for blocked inline content during user management workflows.

Monitoring Recommendations

• Forward CMC and Guardian audit logs to a centralized SIEM and alert on username creation events containing angle brackets or URL schemes.
• Track administrative account activity and flag any creation of users with unusually long or markup-bearing names.
• Review group membership changes regularly and validate that displayed user data matches stored values without rendered markup.

How to Mitigate CVE-2025-40902

Immediate Actions Required

• Apply the vendor-supplied update referenced in Nozomi Networks advisory NN-2026:5-01 to all CMC and Guardian instances.
• Audit existing user accounts and remove or rename any account whose username contains HTML metacharacters.
• Restrict administrative role assignment to the minimum number of operators required for daily operations.

Patch Information

Nozomi Networks has published advisory NN-2026:5-01 with fixed version information for both CMC and Guardian. Operators should consult the advisory for the specific build numbers that remediate the input validation gap in the Users functionality and schedule upgrades according to vendor guidance.

Workarounds

• Enforce a strict username naming policy through operational procedures until patches are deployed across the fleet.
• Limit creation of new user accounts to a small, trusted set of administrators and require peer review for user provisioning.
• Train operators to verify rendered content in group deletion dialogs and to avoid clicking links that appear within usernames or other user-controlled fields.