CVE-2025-7958 Overview
CVE-2025-7958 is a code injection vulnerability [CWE-94] affecting Trellix Network Security Central Management (CM) and Network Security (NX) appliances. A locally authenticated administrator can execute arbitrary code through the web interface by abusing Alert artifact details handling. The flaw requires high privileges and adjacent network access, but successful exploitation yields high impact to confidentiality, integrity, and availability of the affected appliance.
Critical Impact
An authenticated admin user can execute arbitrary code on Trellix Network Security CM and NX appliances via crafted Alert artifact details, compromising the appliance and any monitoring data it processes.
Affected Products
- Trellix Network Security Central Management (CM)
- Trellix Network Security (NX) appliances
- Refer to the Trellix Support Article for specific affected versions
Discovery Timeline
- 2026-06-26 - CVE-2025-7958 published to NVD
- 2026-06-26 - Last updated in NVD database
Technical Details for CVE-2025-7958
Vulnerability Analysis
The vulnerability resides in the web interface of Trellix Network Security CM and NX appliances. When a locally authenticated administrator interacts with Alert artifact details, the application fails to properly sanitize input before it is processed as executable content. This allows the attacker-controlled data to be interpreted as code rather than as inert artifact metadata.
The issue is classified under [CWE-94] Improper Control of Generation of Code (Code Injection). Exploitation results in arbitrary code execution in the context of the underlying application, giving the attacker control over appliance functions such as alert processing, traffic inspection, and management workflows.
Because Trellix NX and CM appliances sit inline or adjacent to sensitive network traffic, code execution on these devices can expose captured session data, detection rules, and administrative credentials for downstream systems.
Root Cause
The root cause is insufficient validation and sanitization of Alert artifact details before they are consumed by a downstream code interpreter or evaluation routine invoked from the web interface. User-supplied fields are treated as trusted input, allowing injected payloads to reach a code execution sink.
Attack Vector
The attack requires an adjacent network position and high privileges: the attacker must already hold administrator credentials on the appliance. No user interaction is required beyond the attacker's own actions. An authenticated admin submits crafted content through the artifact details path in the web interface, and the injected code executes on the appliance.
The vulnerability is described in prose only; no public proof-of-concept has been published and no exploitation in the wild has been confirmed. See the Trellix Support Article for vendor technical details.
Detection Methods for CVE-2025-7958
Indicators of Compromise
- Unexpected processes spawned by the Trellix NX or CM web application service outside normal operational baselines.
- Anomalous outbound network connections originating from the appliance management interface.
- Modifications to appliance configuration, alert-handling scripts, or scheduled tasks that were not initiated through documented change control.
- Administrator sessions submitting unusual payloads to artifact-related endpoints of the management UI.
Detection Strategies
- Monitor administrator activity on Trellix CM and NX web interfaces for atypical use of the Alert artifact details functionality.
- Correlate admin session logs with process creation events on the appliance to identify command execution not tied to legitimate workflows.
- Alert on any shell or interpreter invocation stemming from the web application user context.
Monitoring Recommendations
- Forward Trellix appliance audit logs and admin action logs to a central SIEM for retention and correlation.
- Baseline normal administrator activity patterns and flag deviations, particularly around artifact and alert manipulation.
- Track privileged account usage on network security appliances and enforce alerting on new or rarely used admin accounts.
How to Mitigate CVE-2025-7958
Immediate Actions Required
- Apply the fixed versions referenced in the Trellix Support Article as soon as maintenance windows permit.
- Audit all administrator accounts on Trellix CM and NX and remove or disable unused privileged accounts.
- Restrict management interface access to a dedicated, hardened administration network segment.
- Rotate administrator credentials and any secrets stored on or accessible from the appliance.
Patch Information
Trellix has published guidance and fixed builds through the Trellix Support Article 000015433. Administrators should identify their installed CM and NX versions, review the vendor advisory for the corresponding fixed release, and schedule an upgrade following Trellix's documented procedure.
Workarounds
- Enforce network-level access controls limiting reachability of the CM and NX management UI to trusted administrator workstations only.
- Require multi-factor authentication for all administrator accounts that can access the web interface.
- Implement strict change control and dual-approval workflows for administrative actions on alert artifacts until patches are deployed.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

