CVE-2026-31985
Received Received - Intake

TLS Certificate Verification Bypass in Remote Collector Configuration

Vulnerability report for CVE-2026-31985, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Nozomi Networks Inc.

Description

When the upstream Guardian or CMC was configured in the Remote Collector via n2os-tui, the generated configuration disabled TLS certificate verification, and no option was provided to enable it. A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Remote Collector and the Guardian or CMC. This could result in theft of the sync token, impersonation of the server, injection of spoofed data (such as false asset information or vulnerabilities) into the Guardian or CMC, or disruption of the data flow between the Remote Collector and the Guardian or CMC.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nozomi_networks remote_collector to 26.2.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-671 The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-31985 is a vulnerability in the Remote Collector software versions before v26.2.0. When configured via the n2os-tui tool to connect to an upstream Guardian or CMC, the generated configuration disables TLS certificate verification and does not provide an option to enable it.

This lack of TLS certificate validation allows a malicious actor to perform a man-in-the-middle attack, intercepting communications between the Remote Collector and the Guardian or CMC.

As a result, attackers could steal sync tokens, impersonate the server, inject spoofed data such as false asset information or vulnerabilities, or disrupt the data flow between these components.

Impact Analysis

This vulnerability can have serious impacts including unauthorized interception of sensitive communication between the Remote Collector and Guardian or CMC.

  • Theft of sync tokens which could allow attackers to gain unauthorized access.
  • Impersonation of the server, misleading clients or systems relying on the Remote Collector.
  • Injection of false or spoofed data, such as incorrect asset information or vulnerabilities, potentially compromising the integrity of the system.
  • Disruption of data flow between the Remote Collector and Guardian or CMC, affecting system availability and reliability.
Detection Guidance

This vulnerability occurs when the Remote Collector is configured via the n2os-tui tool and TLS certificate verification is disabled for connections to the Guardian or CMC.

To detect if your system is vulnerable, check the configuration file "n2os.conf.user" for the upstream endpoint entry. If the entry is prefixed with a "!", it indicates that TLS certificate verification is disabled.

A possible command to inspect this configuration on a Unix-like system is:

  • grep '^!' /path/to/n2os.conf.user

This command searches for lines starting with "!", which disables TLS verification. If such lines are present for the upstream Guardian or CMC endpoint, the system is vulnerable.

Mitigation Strategies

The recommended immediate mitigation is to manually edit the "n2os.conf.user" configuration file to remove the "!" prefix from the upstream endpoint entry. This action enables TLS certificate verification, preventing man-in-the-middle attacks.

Additionally, the best long-term solution is to upgrade the Remote Collector software to version 26.2.0 or later, where this vulnerability is fixed and TLS certificate verification is properly enforced.

Compliance Impact

This vulnerability allows man-in-the-middle attacks that can lead to interception of sensitive communication, theft of sync tokens, impersonation of servers, injection of false data, or disruption of data flow between the Remote Collector and Guardian or CMC.

Such security weaknesses could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and confidentiality during transmission.

However, the provided information does not explicitly state the direct effects on compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31985. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart