Cyber Posture

CVE-2025-40889

High

Published: 07 October 2025

Published
07 October 2025
Modified
09 October 2025
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0010 27.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-40889 is a high-severity Path Traversal (CWE-22) vulnerability in Nozominetworks Cmc. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data Destruction (T1485) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the missing validation of input parameters that enables path traversal attacks in the Time Machine functionality.

AC-3 Access Enforcement partial match
prevent

Enforces access control policies to restrict unauthorized alterations to files in the /data folder even if path traversal bypasses application logic.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of the specific path traversal flaw to eliminate the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

Path traversal enables direct file content/structure modification and availability impact in /data, mapping to stored data manipulation and data destruction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A path traversal vulnerability was discovered in the Time Machine functionality due to missing validation of two input parameters. An authenticated user with limited privileges, by issuing a specifically-crafted request, can potentially alter the structure and content of files in…

more

the /data folder, and/or affect their availability.

Deeper analysisAI

CVE-2025-40889, published on 2025-10-07, is a path traversal vulnerability (CWE-22) in the Time Machine functionality, stemming from missing validation of two input parameters. The vulnerability affects Nozomi Networks software and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high impact on integrity and availability with no confidentiality impact.

An authenticated attacker with limited privileges can exploit the vulnerability over the network with low complexity by issuing a specifically crafted request. Successful exploitation allows the attacker to potentially alter the structure and content of files in the /data folder and/or affect their availability.

Mitigation details are provided in the Nozomi Networks security advisory NN-2025:9-01, available at https://security.nozominetworks.com/NN-2025:9-01.

Details

CWE(s)
CWE-22

Affected Products

nozominetworks
cmc
≤ 25.2.0
nozominetworks
guardian
≤ 25.2.0

CVEs Like This One

CVE-2025-40898Same product: Nozominetworks Cmc
CVE-2025-69194Shared CWE-22
CVE-2026-41383Shared CWE-22
CVE-2026-28791Shared CWE-22
CVE-2026-25161Shared CWE-22
CVE-2025-51480Shared CWE-22
CVE-2025-25371Shared CWE-22
CVE-2026-6940Shared CWE-22
CVE-2026-33681Shared CWE-22
CVE-2026-33054Shared CWE-22

References