CVE-2025-40886: 
NixOS vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2025-40886) was discovered in the Alert functionality of Nozomi Networks' Guardian and CMC products versions before 25.2.0. The vulnerability was disclosed on October 7, 2025, and stems from improper validation of an input parameter. The affected products include Guardian and CMC versions prior to v25.2.0 (Nozomi Advisory).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). It received a CVSS v4.0 score of 7.7 (High) with vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, and a CVSS v3.1 score of 8.8 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, Nozomi Advisory).

An authenticated user with limited privileges can execute arbitrary SQL statements on the DBMS used by the web application. This could result in unauthorized data exposure, alteration of database structure and content, and potential impact on system availability (Nozomi Advisory).

Users are advised to upgrade to version 25.2.0 or later. As temporary workarounds, organizations should use internal firewall features to limit access to the web management interface and review all accounts with access to it, removing unnecessary ones (Nozomi Advisory).