CVE-2025-40904 Overview
CVE-2025-40904 is a stored HTML injection vulnerability affecting Nozomi Networks CMC and Guardian products. The flaw resides in the Smart Polling functionality and stems from improper validation of an input parameter [CWE-79]. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync mechanism. When a victim subsequently views the affected remote strategy in Smart Polling, the injected HTML renders in their browser. The vendor reports that existing input validation and Content Security Policy (CSP) configuration prevent full Cross-Site Scripting (XSS) and direct information disclosure.
Critical Impact
An authenticated low-privilege attacker can inject persistent HTML into Smart Polling views, enabling phishing and potential open redirect attacks against operators of CMC and Guardian appliances.
Affected Products
- Nozomi Networks CMC (Central Management Console)
- Nozomi Networks Guardian
- Smart Polling functionality across both products
Discovery Timeline
- 2026-05-19 - CVE-2025-40904 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2025-40904
Vulnerability Analysis
The vulnerability is a stored HTML injection within the Smart Polling feature of Nozomi Networks CMC and Guardian. Smart Polling allows operators to define and synchronize remote strategies across managed sensors. The application accepts a parameter within remote strategy definitions without adequately sanitizing HTML markup before persisting and rendering it. When operators later open the affected strategy in the web interface, the stored markup is interpreted by the browser. The injection is persistent, meaning the payload triggers on every view of the affected resource until removed.
Root Cause
The root cause is improper neutralization of input during web page generation, classified under [CWE-79]. The vulnerable parameter passes HTML content through to the rendering layer without escaping reserved characters such as <, >, and quoting characters. The synchronization channel between CMC and Guardian propagates the unsanitized strategy data, expanding the blast radius from a single sensor to any node consuming the sync feed. Existing input validation and the deployed Content Security Policy reduce the impact by blocking inline script execution and external resource loads, which prevents full XSS but does not prevent rendering of arbitrary HTML structure.
Attack Vector
The attack requires an authenticated account with privileges to create or modify remote strategies in Smart Polling. The attacker crafts a remote strategy containing HTML elements such as anchor tags, iframes referencing same-origin content, or styled overlays. The strategy is then pushed through the sync mechanism to other appliances. When a victim with appropriate access views the strategy in the Smart Polling UI, the injected HTML renders in their authenticated session. Practical exploitation paths include displaying fake login prompts to harvest credentials and redirecting the victim to attacker-controlled domains through clickable elements.
No public proof-of-concept code has been published for this issue. Refer to the Nozomi Networks Security Advisory for vendor-supplied technical details.
Detection Methods for CVE-2025-40904
Indicators of Compromise
- Remote strategy objects in CMC or Guardian containing HTML tags such as <a>, <iframe>, <img>, or <form> within text fields not intended to hold markup.
- Audit log entries showing creation or modification of Smart Polling remote strategies by low-privilege accounts.
- Outbound web requests from operator browsers to unexpected domains following Smart Polling page loads.
Detection Strategies
- Query the configuration database or API for Smart Polling strategies and grep stored fields for angle brackets, href=, src=, or javascript: substrings.
- Review web server access logs for repeated views of specific remote strategy IDs by privileged operators.
- Correlate strategy sync events with subsequent authentication anomalies or unexpected redirects reported by operators.
Monitoring Recommendations
- Enable verbose audit logging for Smart Polling configuration changes and ship logs to a centralized SIEM for retention and correlation.
- Monitor browser-side CSP violation reports, which can surface attempted script execution blocked by the existing policy.
- Alert on creation of remote strategies by non-administrative accounts and on bulk sync operations originating from low-privilege users.
How to Mitigate CVE-2025-40904
Immediate Actions Required
- Apply the fixed versions of Nozomi Networks CMC and Guardian as identified in the Nozomi Networks Security Advisory NN-2026:7-01.
- Audit existing Smart Polling remote strategies and remove any entries containing HTML markup in non-markup fields.
- Review and restrict accounts authorized to create or modify remote strategies, removing the privilege from users who do not require it.
Patch Information
Nozomi Networks has published advisory NN-2026:7-01 describing fixed releases for CMC and Guardian. Customers should consult the advisory for the exact patched build numbers applicable to their deployment and follow the vendor's upgrade procedure. Both the CMC and any synchronized Guardian sensors must be updated to prevent reintroduction of malicious strategies through the sync channel.
Workarounds
- Limit Smart Polling strategy authoring to fully trusted administrative accounts until patches are deployed.
- Train operators to avoid clicking embedded links within Smart Polling strategy views and to validate URLs before authenticating.
- Disable or restrict the sync of remote strategies between CMC and Guardian where the feature is not operationally required.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
