CVE-2025-40885 MEDIUM

CVE-2025-40885: Authenticated SQL Injection on Smart Polling functionality in Guardian/CMC before 25.2.0

Vendor Nozomi Networks

Product Guardian

Weakness CWE-89 · SQLi

Published October 7, 2025

Last update October 7, 2025

View on NVD All CVEs

CVSS base score

6.0/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A SQL Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can execute arbitrary SELECT SQL statements on the DBMS used by the web application, potentially exposing unauthorized data.

Key dates

02Disclosure timeline

October 7, 2025 CVE published

October 7, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-40885 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

Identifiers

CVE CVE-2025-40885

CWE CWE-89

CVSS 6.0 / MEDIUM

Affected versions

Vendor Nozomi Networks

Product Guardian

Affected < 25.2.0

Vendor Nozomi Networks

Product CMC

Affected < 25.2.0

CVE-2025-40885: Authenticated SQL Injection on Smart Polling functionality in Guardian/CMC before 25.2.0

01Description

02Disclosure timeline

03References

04Related CVE