Stored HTML Injection in CMC's Sensor Map Functionality
CVE-2025-40895

2LOW

Key Information:

Vendor: Nozomi Networks
Status: Cmc
Vendor: CVE Published:; 4 March 2026

🔔 Create Nozomi Networks Vulnerability Alert

What is CVE-2025-40895?

A vulnerability within the CMC's Sensor Map functionality allows a malicious authenticated user with administrative privileges to inject harmful HTML tags by improperly validating connected Guardian properties. If the Sensor Map feature is active, this can result in the injected HTML being rendered in the browsers of other CMC users, potentially facilitating phishing attacks. While the existing input validation and Content Security Policy configurations inhibit full XSS exploitation and direct information disclosure, the vulnerability still poses significant risks to user interaction with the affected functionality.

Affected Version(s)

CMC 0 < 25.6.0

References

https://security.nozominetworks.com/NN-2025:17-01

CVSS V4

Score:

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 4, 2026
Vulnerability Reserved
Apr 16, 2025

Credit

This issue was found by Stefano Libero of Nozomi Networks Product Security team during an internal investigation.

CVE-2025-40895 Data

JSON