CVE-2025-40888: 
NixOS vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2025-40888) was discovered in the CLI functionality of Nozomi Networks' Guardian and CMC products versions prior to 25.3.0. The vulnerability was identified during an internal investigation by Andrea Palanca of Nozomi Networks Product Security team and was disclosed on October 7, 2025 (Nozomi Advisory).

The vulnerability stems from improper validation of an input parameter in the CLI functionality. It has been assigned a CVSS v4.0 score of 6.0 (Medium) with vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, and a CVSS v3.1 score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (Nozomi Advisory).

An authenticated user with limited privileges can execute arbitrary SELECT SQL statements on the DBMS used by the web application, potentially exposing unauthorized data (Nozomi Advisory).

Organizations are advised to upgrade to version 25.3.0 or later to address this vulnerability. As temporary workarounds, users should use internal firewall features to limit access to the web management interface and review all accounts with access to it, removing unnecessary ones (Nozomi Advisory).