CVE-2025-40893

HTML injection in Asset List in Guardian/CMC before 25.5.0

CVSS 5.3 MEDIUMEPSS 0.2%CWE-79

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

18 Dec 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A Stored HTML Injection vulnerability was discovered in the Asset List functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets to inject HTML tags into asset attributes. When a victim views the affected assets in the Asset List (and similar functions), the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Affected products

Nozomi Networks · CMC Nozomi Networks · Guardian

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://cert-portal.siemens.com/productcert/html/ssa-827968.html https://security.nozominetworks.com/NN-2025:14-01