CVE-2025-40892
HIGHNozomi Networks CMC and Guardian < 25.5.0 - Authenticated Stored Cross-Site Scripting in Reports Functionality
Title source: llmDescription
A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information.
References (2)
Core 2
Core References
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-827968.html
Mitigation, Vendor Advisory
https://security.nozominetworks.com/NN-2025:13-01
Scores
CVSS v3
8.9
EPSS
0.0021
EPSS Percentile
11.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (4)
Nozomi Networks/CMC
< 25.5.0
Nozomi Networks/Guardian
< 25.5.0
nozominetworks/cmc
< 25.5.0
nozominetworks/guardian
< 25.5.0
Published
Dec 18, 2025
Tracked Since
Feb 18, 2026