Full Report
Nozomi Networks has published information on vulnerabilities in Nozomi Guardian/CMC. This advisory lists the related Siemens Industrial products affected by these vulnerabilities. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Nozomi Guardian/CMC on Siemens RUGGEDCOM APE1808
## CVE Details
- **CVE ID:** CVE-2025-40891, CVE-2025-40892, CVE-2025-40893, CVE-2025-40898
- **CVSS Score:**
- Max CVSS v3.1: **8.9 (High)**
- Max CVSS v4.0: **7.2 (High)**
- **CWE:** CWE-79 (Cross-site Scripting), CWE-22 (Path Traversal)
## Affected Systems
- **Products:** RUGGEDCOM APE1808 (Application Hosting Platform)
- **Versions:** All versions running Nozomi Guardian/CMC.
- **Configurations:** Systems utilizing Nozomi Guardian/CMC for edge computing and cybersecurity within the RUGGEDCOM APE1808 environment.
## Vulnerability Description
Four distinct vulnerabilities were identified within the Nozomi Guardian/CMC software:
1. **CVE-2025-40891 (Stored HTML Injection):** Flaw in the "Time Machine Snapshot Diff" functionality. Improper validation of network traffic allows an unauthenticated attacker to inject HTML via crafted packets.
2. **CVE-2025-40892 (Stored XSS):** Flaw in "Reports" functionality. Authenticated users with report privileges can define malicious payloads in reports or report templates.
3. **CVE-2025-40893 (Stored HTML Injection):** Flaw in the "Asset List" functionality. Unauthenticated attackers can inject HTML tags into asset attributes via crafted network packets.
4. **CVE-2025-40898 (Path Traversal):** Flaw in "Import Arc" data archive functionality. Insufficient validation of input files allows an authenticated user to write arbitrary files to arbitrary paths.
## Exploitation
- **Status:** Not exploited (No reports of active exploitation in the wild or public PoC at time of advisory).
- **Complexity:**
- **High:** CVE-2025-40891 (Requires specific GUI actions and multiple snapshots).
- **Low:** CVE-2025-40892, CVE-2025-40893, CVE-2025-40898.
- **Attack Vector:** Network (All).
## Impact
- **Confidentiality:** **Low** (Information disclosure restricted by CSP and input validation for XSS-related flaws).
- **Integrity:** **High** (Attackers can modify application data, alter device configurations, and inject malicious content).
- **Availability:** **High** (Potential for application disruption or total device unavailability via path traversal).
## Remediation
### Patches
Siemens is currently preparing fix versions.
- **Action:** Users are instructed to **contact Siemens customer support** directly to receive specific patch and update information for the RUGGEDCOM APE1808.
### Workarounds
- **Network Segmentation:** Protect network access to devices with appropriate perimeter defense mechanisms.
- **Secure Environment:** Configure the environment according to Siemens' operational guidelines for Industrial Security.
- **User Sanity:** For XSS/HTML injection, avoid importing untrusted report templates or viewing suspicious asset snapshots until patched.
## Detection
- **Indicators of Compromise:**
- Existence of unauthorized files in system directories (via CVE-2025-40898).
- Unexpected HTML tags or unusual asset naming conventions in the Asset List or Snapshot Diff.
- Presence of unrecognized report templates in the system.
- **Detection methods:** Review system logs for unauthorized file writes and monitor network traffic for malformed packets targeting the Nozomi management interface.
## References
- **Siemens Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-827968[.]pdf
- **Nozomi Security:** hxxps://security[.]nozominetworks[.]com/
- **Siemens Industrial Security Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security