CVE-2025-40897
Access Control Bypass in Threat Intelligence Allows Admin Actions
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Nozomi Networks Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nozomi_networks | guardian | to 26.0.0 (exc) |
| nozomi_networks | cmc | to 26.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2025-40897 is an access control vulnerability in the Threat Intelligence functionality of Guardian and CMC products prior to version 26.0.0.
The issue occurs because a specific access restriction is not properly enforced for users who have view-only privileges.
As a result, authenticated users with only view-only access can perform unauthorized administrative actions, such as modifying rules configurations or affecting the availability of the Threat Intelligence feature.
How can this vulnerability impact me? :
This vulnerability allows users with only view-only privileges to perform administrative actions they should not be authorized to do.
Such unauthorized actions include altering rules configurations and impacting the availability of the Threat Intelligence functionality.
This can lead to potential disruption of security monitoring and threat detection capabilities, increasing the risk of undetected threats or misconfigurations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the risk of this vulnerability, it is recommended to remove or revoke Threat Intelligence access for users with view-only privileges until the issue is resolved.
The definitive solution is to upgrade the affected Guardian and CMC products to version 26.0.0 or later, where the vulnerability has been addressed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an access control flaw where authenticated users with view-only privileges can perform unauthorized administrative actions on the Threat Intelligence functionality.
To detect this vulnerability on your system, you should verify if any users with view-only privileges are able to modify rules configurations or affect the availability of the Threat Intelligence feature.
Since the vulnerability is related to improper enforcement of access restrictions, detection involves auditing user actions and permissions within the Guardian or CMC products prior to version 26.0.0.
No specific detection commands are provided in the available resources. However, general steps include:
- Review user roles and permissions to identify any view-only users with unexpected administrative capabilities.
- Audit logs for any administrative actions performed by users who should only have view-only access.
- Check the version of your Guardian or CMC product to confirm if it is prior to 26.0.0, as the vulnerability is fixed in 26.0.0 and later.
For specific commands, consult your product's audit or logging tools to extract user activity related to Threat Intelligence configuration changes.