CVE-2025-40902

Vulnerability

A stored HTML injection vulnerability exists in the Users functionality of Nozomi Networks Guardian and CMC versions prior to 26.1.0. The username parameter is not properly validated, allowing an authenticated user with administrative privileges to create a user account whose username contains arbitrary HTML tags. The injected HTML is stored and later rendered when a victim attempts to delete a group that includes the malicious user [1].

Exploitation

An attacker must have administrative access to the web management interface. They create a new user with a crafted username containing HTML tags (e.g., ``). When another administrator (the victim) navigates to the group deletion page and attempts to delete a group that contains this user, the injected HTML is rendered in the victim's browser. No user interaction beyond the deletion action is required; the HTML executes in the context of the management interface [1].

Impact

The injected HTML can be used for phishing attacks (e.g., displaying a fake login form) or open redirect attacks (e.g., a link that redirects to an external site). Full cross-site scripting (XSS) and direct information disclosure are prevented by existing input validation and Content Security Policy (CSP) configuration. The attacker does not gain code execution or direct access to sensitive data, but can trick victims into revealing credentials or navigating to malicious sites [1].

Mitigation

The vulnerability is fixed in version 26.1.0 of Guardian and CMC. Users should upgrade to this version or later. As workarounds, administrators can use internal firewall features to limit access to the web management interface, review all accounts with administrative access and delete unnecessary ones, and review usernames of existing users for suspicious content [1].