📄 Description (English)
A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious identity containing HTML tags. When a victim attempts to delete the affected identity, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
🤖 AI Executive Summary
CVE-2025-40901 is a stored HTML injection vulnerability in Nozomi Networks CMC and Guardian products affecting the Credentials Manager. An authenticated administrator can inject malicious HTML that executes when other users attempt to delete credentials, enabling phishing and open redirect attacks. While full XSS is mitigated by CSP, the vulnerability poses significant risk in multi-user environments where administrative accounts may be compromised or malicious insiders exist.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 24, 2026 11:18
🇸🇦 Saudi Arabia Impact Assessment
Saudi critical infrastructure operators using Nozomi Networks CMC/Guardian for industrial control system (ICS) monitoring face elevated risk. Primary impact sectors: Energy (ARAMCO, SEC), Water/Wastewater utilities, Healthcare facilities managing medical devices, and Government agencies operating SCADA systems. The vulnerability is particularly dangerous in Saudi environments where administrative account compromise could enable lateral movement and credential harvesting from operators managing critical infrastructure. Financial institutions using these products for network monitoring also face phishing risks targeting privileged users.
🏢 Affected Saudi Sectors
Energy (ARAMCO, SEC, regional utilities)
Water and Wastewater Management
Healthcare (hospitals, medical device networks)
Government (critical infrastructure agencies, NCA)
Telecommunications (STC, Mobily, Zain)
Financial Services (SAMA-regulated institutions)
Manufacturing and Industrial Control Systems
🎯 MITRE ATT&CK Techniques
T1566.002 - Phishing: Spearphishing Link
T1598.003 - Phishing for Information: Spearphishing Link
T1187 - Forced Authentication
T1056.004 - Interaction with User: Credential Dumping
T1021.001 - Remote Services: Remote Desktop Protocol
T1078.001 - Valid Accounts: Default Accounts
T1021.004 - Remote Services: SSH
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all administrative accounts in CMC/Guardian for suspicious credential definitions containing HTML/script tags
2. Review access logs for credential deletion events and correlate with user activity
3. Implement network segmentation to restrict CMC/Guardian administrative access to trusted networks only
4. Disable or restrict Credentials Manager functionality if not actively required
COMPENSATING CONTROLS (until patch available):
5. Enforce multi-factor authentication (MFA) for all administrative accounts accessing CMC/Guardian
6. Implement email filtering rules to block phishing attempts from credential deletion notifications
7. Deploy endpoint detection and response (EDR) to monitor for suspicious browser activity from CMC/Guardian users
8. Configure browser security policies to disable auto-redirect functionality
9. Conduct security awareness training focusing on phishing indicators in credential management workflows
DETECTION RULES:
10. Monitor CMC/Guardian logs for credential definitions containing HTML entities (<, >, script, iframe, onclick)
11. Alert on credential deletion events followed by unusual network connections or data exfiltration
12. Track administrative account login patterns for anomalies
13. Implement SIEM rules to detect stored XSS patterns in application logs
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع الحسابات الإدارية في CMC/Guardian للبحث عن تعريفات بيانات اعتماد مريبة تحتوي على علامات HTML/script
2. مراجعة سجلات الوصول لأحداث حذف بيانات الاعتماد والربط مع نشاط المستخدم
3. تنفيذ تقسيم الشبكة لتقييد وصول CMC/Guardian الإداري إلى الشبكات الموثوقة فقط
4. تعطيل أو تقييد وظيفة مدير بيانات الاعتماد إذا لم تكن مطلوبة بنشاط
الضوابط التعويضية (حتى توفر التصحيح):
5. فرض المصادقة متعددة العوامل (MFA) لجميع الحسابات الإدارية التي تصل إلى CMC/Guardian
6. تنفيذ قواعد تصفية البريد الإلكتروني لحظر محاولات التصيد من إشعارات حذف بيانات الاعتماد
7. نشر كشف ومعالجة نقاط النهاية (EDR) لمراقبة النشاط المريب في المتصفح من مستخدمي CMC/Guardian
8. تكوين سياسات أمان المتصفح لتعطيل وظيفة إعادة التوجيه التلقائي
9. إجراء تدريب على الوعي الأمني يركز على مؤشرات التصيد في سير عمل إدارة بيانات الاعتماد
قواعد الكشف:
10. مراقبة سجلات CMC/Guardian لتعريفات بيانات الاعتماد التي تحتوي على كيانات HTML (<, >, script, iframe, onclick)
11. التنبيه على أحداث حذف بيانات الاعتماد متبوعة باتصالات شبكة غير عادية أو تسرب بيانات
12. تتبع أنماط تسجيل دخول الحساب الإداري للكشف عن الشذوذ
13. تنفيذ قواعد SIEM للكشف عن أنماط XSS المخزنة في سجلات التطبيق
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control: Administrative account management and privilege restriction
ECC 2024 A.6.1.1 - Cryptography: Input validation and output encoding requirements
ECC 2024 A.7.1.1 - Physical and Environmental Security: Secure configuration of security tools
ECC 2024 A.8.1.1 - Operations Security: Monitoring and logging of administrative activities
🔵 SAMA CSF
SAMA CSF ID.AM-2: Software and hardware inventory including security tools
SAMA CSF PR.AC-1: Access control policies and procedures for administrative functions
SAMA CSF PR.DS-2: Data security and input validation controls
SAMA CSF DE.CM-1: Detection and monitoring of anomalous activity
SAMA CSF RS.MI-2: Incident response and containment procedures
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access Control: Segregation of duties for administrative functions
ISO 27001:2022 A.5.16 - Access Control: Authentication and authorization mechanisms
ISO 27001:2022 A.8.22 - Cryptography: Input validation and output encoding
ISO 27001:2022 A.8.24 - Cryptography: Protection against malicious code
ISO 27001:2022 A.12.4.1 - Communications Security: Event logging and monitoring
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Configuration standards for system components
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 6.5.7 - Cross-site scripting (XSS) prevention
PCI DSS 7.1 - Restrict access to cardholder data by business need-to-know
PCI DSS 10.2 - Implement automated audit trails for access to cardholder data
🔗 References & Sources 1
📦 Affected Products / CPE 2 entries
nozominetworks:cmc
nozominetworks:guardian