CVE-2025-40903: Nozomi Networks CMC XSS Vulnerability

CVE-2025-40903 Overview

CVE-2025-40903 is a stored HTML injection vulnerability in the Schedule Restore Archive functionality of Nozomi Networks CMC and Guardian products. The flaw stems from improper validation of an input parameter accepted when defining a restore schedule. An authenticated user with administrative privileges can craft a schedule containing HTML tags that render in the browser of any user who later views it.

The rendered markup enables phishing content and possible open redirect attacks against operators of the affected appliances. Existing input validation and the Content Security Policy (CSP) configuration block full cross-site scripting (XSS) execution and direct information disclosure. The weakness is classified under CWE-79.

Critical Impact

Authenticated administrators can inject persistent HTML into the Schedule Restore Archive view, enabling phishing and open redirect attacks against other console users.

Affected Products

• Nozomi Networks CMC (Central Management Console)
• Nozomi Networks Guardian
• See the Nozomi Networks Security Advisory NN-2026:6-01 for fixed versions

Discovery Timeline

• 2026-05-19 - CVE-2025-40903 published to the National Vulnerability Database (NVD)
• 2026-05-19 - Last updated in NVD database

Technical Details for CVE-2025-40903

Vulnerability Analysis

The vulnerability resides in the Schedule Restore Archive feature of Nozomi Networks CMC and Guardian. The feature accepts user-supplied input when an administrator defines a restore schedule. The application stores this input and later renders it inside the web console without sufficient HTML encoding.

When a victim views the affected schedule, the browser parses the stored payload as markup. Attackers can inject anchor tags, iframes, images, or styled content to mimic legitimate UI elements. The injection persists across sessions because the malicious value is written to the appliance backend.

Nozomi Networks states that existing input validation and the deployed Content Security Policy prevent script execution and direct exfiltration of sensitive data. The residual risk centers on phishing payloads, social engineering overlays, and open redirects that point operators to attacker-controlled domains.

Root Cause

The Schedule Restore Archive endpoint does not enforce strict allowlist validation or output encoding on the affected input parameter. The stored value is later inserted into the rendered HTML response. This combination produces a persistent HTML injection sink consistent with CWE-79.

Attack Vector

Exploitation requires an authenticated account with administrative privileges and user interaction from a victim who later views the malicious schedule. The attack vector is network-based against the management interface. A compromised administrator session, an insider, or a successful credential reuse attack can plant the payload, which then activates when other operators open the schedule view.

The vulnerability does not yield direct code execution because the CSP blocks inline and external script sources. Practical impact involves rendering phishing forms inside the trusted console origin or chaining anchor injection with open redirect behavior to harvest credentials off the appliance.

Detection Methods for CVE-2025-40903

Indicators of Compromise

• Restore schedule entries that contain HTML tags such as <a>, <iframe>, <img>, <form>, or <style> in name or description fields.
• Outbound navigation from console users to unexpected external domains immediately after they open the Schedule Restore Archive page.
• Audit log entries showing administrative accounts creating or modifying restore schedules at unusual times or from atypical source IP addresses.

Detection Strategies

• Review stored restore schedule records on CMC and Guardian appliances for HTML metacharacters and tag patterns.
• Correlate administrative API calls that write schedule definitions with the source user, IP address, and session identifier.
• Inspect browser console errors and CSP violation reports generated when affected users render the schedule page.

Monitoring Recommendations

• Enable and ship Nozomi Networks audit logs to a central SIEM and alert on schedule create or update events.
• Monitor administrative account logins for anomalous geographies, impossible travel, and off-hours activity.
• Track CSP violation reports from the management interface to surface attempted injection attacks.

How to Mitigate CVE-2025-40903

Immediate Actions Required

• Apply the fixed releases listed in the Nozomi Networks Security Advisory NN-2026:6-01 to all CMC and Guardian instances.
• Audit existing Schedule Restore Archive entries and remove any record that contains HTML tags or unexpected characters.
• Rotate credentials for administrative accounts that may have been used to plant malicious schedule definitions.
• Restrict administrative console access to a small set of trusted source networks using firewall or VPN controls.

Patch Information

Nozomi Networks has issued a security advisory at NN-2026:6-01 that documents fixed versions for CMC and Guardian. Upgrade affected appliances to the versions listed in that advisory. No exploit code is publicly available and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at the time of publication.

Workarounds

• Limit administrative role assignment to the minimum number of operators and enforce multi-factor authentication on those accounts.
• Train console operators to verify the destination of any link rendered in the Schedule Restore Archive view before clicking.
• Review and tighten the Content Security Policy on the management interface to block external frame sources and form submissions.

# Configuration example: restrict management interface access at the perimeter
iptables -A INPUT -p tcp --dport 443 -s 10.0.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP