Cyber Resilience

CVE-2025-40889

High

Published: 07 October 2025

Published
07 October 2025
Modified
09 October 2025
KEV Added
Patch
CVSS Score v4 7.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0009 26.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-40889 is a high-severity Path Traversal (CWE-22) vulnerability in Nozominetworks Cmc. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-40889, published on 2025-10-07, is a path traversal vulnerability (CWE-22) in the Time Machine functionality, stemming from missing validation of two input parameters. The vulnerability affects Nozomi Networks software and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high impact on integrity and availability with no confidentiality impact.

An authenticated attacker with limited privileges can exploit the vulnerability over the network with low complexity by issuing a specifically crafted request. Successful exploitation allows the attacker to potentially alter the structure and content of files in the /data folder and/or affect their availability.

Mitigation details are provided in the Nozomi Networks security advisory NN-2025:9-01, available at https://security.nozominetworks.com/NN-2025:9-01.

EU & UK References

Vulnerability details

A path traversal vulnerability was discovered in the Time Machine functionality due to missing validation of two input parameters. An authenticated user with limited privileges, by issuing a specifically-crafted request, can potentially alter the structure and content of files in…

more

the /data folder, and/or affect their availability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Path traversal enables direct file content/structure modification and availability impact in /data, mapping to stored data manipulation and data destruction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-40898Same product: Nozominetworks Cmc
CVE-2026-45224Shared CWE-22
CVE-2026-41383Shared CWE-22
CVE-2025-69194Shared CWE-22
CVE-2026-28791Shared CWE-22
CVE-2025-51480Shared CWE-22
CVE-2026-25161Shared CWE-22
CVE-2025-25371Shared CWE-22
CVE-2026-6940Shared CWE-22
CVE-2026-33054Shared CWE-22

Affected Assets

nozominetworks
cmc
≤ 25.2.0
nozominetworks
guardian
≤ 25.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the missing validation of input parameters that enables path traversal attacks in the Time Machine functionality.

prevent

Enforces access control policies to restrict unauthorized alterations to files in the /data folder even if path traversal bypasses application logic.

prevent

Requires timely identification, reporting, and correction of the specific path traversal flaw to eliminate the vulnerability.

References