CVE-2025-40887: 
NixOS vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2025-40887) was discovered in the Alert functionality of Nozomi Networks' Guardian and CMC products before version 25.2.0. The vulnerability was discovered on October 7, 2025, during an internal investigation by Andrea Palanca of Nozomi Networks Product Security team. The vulnerability stems from improper validation of an input parameter in the Alert functionality (Nozomi Advisory).

The vulnerability is classified as CWE-89 (SQL Injection) and has received a CVSS v4.0 base score of 6.0 (Medium) and CVSS v3.1 base score of 6.5 (Medium). The vulnerability requires network access (AV:N), has high attack complexity (AC:H), requires present attack requirements (AT:P), needs low privileges (PR:L), and no user interaction (UI:N). The impact primarily affects confidentiality (VC:H) with no impact on integrity (VI:N) or availability (VA:N) (Nozomi Advisory).

An authenticated user with limited privileges can execute arbitrary SELECT SQL statements on the DBMS used by the web application, potentially exposing unauthorized data. The vulnerability primarily affects the confidentiality of the system, with no direct impact on system integrity or availability (Nozomi Advisory).

Nozomi Networks recommends two primary mitigation strategies: 1) Use internal firewall features to limit access to the web management interface, and 2) Review all accounts with access to it and delete unnecessary ones. The permanent solution is to upgrade to version 25.2.0 or later (Nozomi Advisory).