CVE-2025-40886 HIGH

CVE-2025-40886: Authenticated SQL Injection on Alert functionality in Guardian/CMC before 25.2.0

Vendor Nozomi Networks
Product Guardian
Weakness CWE-89 · SQLi
Published October 7, 2025
Last update October 7, 2025

CVSS base score

7.7/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A SQL Injection vulnerability was discovered in the Alert functionality due to improper validation of an input parameter. An authenticated user with limited privileges can execute arbitrary SQL statements on the DBMS used by the web application, potentially exposing unauthorized data, altering their structure and content, and/or affecting their availability.

Key dates

02Disclosure timeline

October 7, 2025 CVE published
October 7, 2025 Record updated