CVE-2025-40891 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-40891 PUBLISHED CVSS 2.299999952316284 LOW

A Stored HTML Injection vulnerability was discovered in the Time Machine Snapshot Diff functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets at two different times to inject HTML tags into asset attributes across two snapshots. Exploitation requires a victim to use the Time Machine Snapshot Diff feature on those specific snapshots and perform specific GUI actions, at which point the injected HTML renders in their browser, enabling phishing and open redirect attacks. Full XSS exploitation is prevented by input validation and Content Security Policy. Attack complexity is high due to multiple required conditions.

EPSS 0.04% · 12.3th percentile

Risk Scores

CVSS v4.0

2.299999952316284

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS Score

0.04%

12.3th percentile

Affected Products

Vendor	Product	Versions
nozomi_networks	cmc	0
nozomi_networks	guardian	0
Nozomi Networks	Guardian	0
nozominetworks	cmc	0
nozominetworks	guardian	0
Nozomi Networks	CMC	0

Timeline

Apr 16, 2025 CVE ID Reserved
Dec 18, 2025 CVE Published
Dec 19, 2025 EPSS Score
Dec 22, 2025 EPSS Score
Dec 26, 2025 EPSS Score
Dec 29, 2025 EPSS Score
Jan 1, 2026 EPSS Score
Jan 5, 2026 EPSS Score
Jan 8, 2026 EPSS Score
Jan 11, 2026 EPSS Score
Jan 14, 2026 EPSS Score
Jan 18, 2026 EPSS Score

References

Open in Interactive Console →