CVE-2025-40899
Stored XSS in Assets and Nodes Allows Privilege Abuse
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Nozomi Networks Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nozominetworks | guardian | to 26.0.0 (exc) |
| nozominetworks | cmc | to 26.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-40899 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Assets and Nodes functionality of certain products. It occurs because of improper validation of an input parameter, allowing an authenticated user with privileges to manage custom fields to inject malicious JavaScript code into a custom field.
When another user views the affected Assets or Nodes pages, this malicious script executes in their browser, enabling the attacker to perform unauthorized actions such as modifying application data, disrupting application availability, and accessing sensitive information.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts including unauthorized modification of application data, disruption of application availability, and unauthorized access to sensitive information.
- Modification of application data by attackers acting as the victim.
- Disruption of the availability of the application.
- Access to limited sensitive information that should otherwise be protected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by auditing and reviewing the custom fields defined in the Assets and Nodes functionality for any malicious JavaScript payloads injected by authenticated users with custom fields privileges.
Since the vulnerability involves stored cross-site scripting in web application input parameters, detection involves inspecting the content of custom fields for suspicious scripts.
No specific commands are provided in the available resources, but general approaches include querying the database or using web interface tools to list and review custom fields for suspicious JavaScript code.
What immediate steps should I take to mitigate this vulnerability?
- Restrict access to the web management interface using internal firewall features to limit exposure.
- Audit and remove unnecessary user accounts, especially those with privileges to manage custom fields.
- Review existing custom fields for malicious content and remove or sanitize any suspicious entries.
- Upgrade the affected products (Guardian and CMC) to version 26.0.0 or later, where the vulnerability has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Stored Cross-Site Scripting (XSS) vulnerability allows attackers to execute unauthorized actions such as modifying application data, disrupting availability, and accessing sensitive information. This exposure of sensitive information and potential data manipulation can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data and maintaining system integrity and availability.
Specifically, unauthorized access to sensitive information due to this vulnerability could lead to breaches of confidentiality requirements under these regulations. Additionally, disruption of application availability and data integrity may violate operational and security controls mandated by such standards.
Mitigation measures such as restricting access, auditing user accounts, and upgrading to fixed versions are critical to maintaining compliance.