CVE-2025-3718: 
NixOS vulnerability analysis and mitigation

CVE-2025-3718 is a client-side path traversal vulnerability discovered in the web management interface front-end of Nozomi Networks' Guardian and CMC products versions prior to 25.2.0. The vulnerability was disclosed on October 7, 2025, and stems from missing validation of an input parameter. The vulnerability affects Guardian and CMC products with versions below v25.2.0 (Nozomi Advisory).

The vulnerability has been assigned CVSS v4.0 score of 5.8 (Medium) with vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:H/VA:H/SC:L/SI:L/SA:L, and CVSS v3.1 score of 7.9 (High) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (Nozomi Advisory).

The vulnerability allows an authenticated user with limited privileges to craft a malicious URL which, if visited by an authenticated victim, leads to a Cross-Site Scripting (XSS) attack. Through XSS exploitation, attackers may perform unauthorized actions on the web management interface on behalf of legitimate users, gather sensitive information, or have other unspecified impacts on the victims' browsers (Nozomi Advisory).

Nozomi Networks recommends using internal firewall features to limit access to the web management interface, reviewing and deleting unnecessary accounts with access to it, and applying care when opening untrusted links or visiting external websites while maintaining an authenticated session to the web management interface. The permanent solution is to upgrade to version 25.2.0 or later (Nozomi Advisory).