CVE-2025-40889: 
NixOS vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2025-40889) was discovered in the Time Machine functionality of Nozomi Networks' Guardian and CMC products. The vulnerability, disclosed on October 7, 2025, exists due to missing validation of two input parameters and affects all versions prior to 25.2.0. This security flaw allows authenticated users with limited privileges to manipulate files in specific system directories (Nozomi Advisory).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has received a CVSS v4.0 score of 7.2 (High) and a CVSS v3.1 score of 8.1 (High). The vulnerability is network-accessible (AV:N) with low attack complexity (AC:L) and requires low privileges (PR:L) with no user interaction (UI:N). The attack can result in high impacts on integrity (VI:H) and availability (VA:H) of the affected systems (Nozomi Advisory).

When exploited, this vulnerability enables authenticated users with limited privileges to alter the structure and content of files in the /data folder and potentially affect their availability. The impact primarily concerns the integrity and availability of the system, while confidentiality remains unaffected (Nozomi Advisory).

Nozomi Networks recommends two primary mitigation strategies: 1) Upgrading to version 25.2.0 or later, and 2) Using internal firewall features to limit access to the web management interface and reviewing all accounts with access to remove unnecessary ones (Nozomi Advisory).