High

Path Traversal in Nozomi Guardian/CMC Import Arc Data Archive

IdentifiersCVE-2025-40898CWE-22· Improper Limitation of a Pathname…

CVE-2025-40898 is a path traversal vulnerability in the Import Arc data archive functionality of Nozomi Networks CMC and Guardian before version 25.5.0. The flaw is caused by insufficient validation of the uploaded Arc archive input, allowing path traversal during archive import. An authenticated user with limited privileges can upload a specifically crafted Arc data archive that causes the application to write files outside the intended destination, resulting in arbitrary file write to attacker-controlled paths on the device. The issue affects Nozomi Guardian/CMC deployments, including Siemens RUGGEDCOM APE1808 deployments using the affected software.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated low-privilege attacker to write arbitrary files to arbitrary paths on the target device. This can be used to alter device configuration and negatively affect system availability. Based on the provided CVSS vectors and vendor description, the primary impacts are high integrity and high availability impact, with no stated confidentiality impact.

Mitigation

If you can’t patch tonight, do this now.

Until patches are applied, restrict access to the Import Arc data archive functionality to only trusted administrative users, minimize network exposure of affected systems, and protect management interfaces from untrusted networks. In ICS environments, follow Siemens/CISA guidance: isolate control networks behind firewalls, segment affected devices, and use secure remote access methods such as fully updated VPNs. More generally, reduce the number of accounts with privileges sufficient to import archives and monitor for suspicious archive uploads or unexpected file changes on the appliance.

Remediation

Patch, then assume compromise.

Upgrade Nozomi Networks Guardian and CMC to version 25.5.0 or later, as versions prior to 25.5.0 are affected. For Siemens RUGGEDCOM APE1808 environments using the affected Nozomi components, Siemens states that customers should contact customer support to obtain patch and update information. Nozomi has also published vendor advisory NN-2025:15-01 with mitigation/remediation guidance.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Nozomi NetworksCmcapplication

Nozomi NetworksGuardianapplication

NozominetworksCmcapplication

NozominetworksGuardianapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cvefeed high severityNews

Dec 18, 2025

CVE-2025-40898 - Path traversal in Import Arc data archive functionality in Guardian/CMC before 25.5.0

An authenticated path traversal / arbitrary file write vulnerability in Nozomi Networks products' Import Arc data archive functionality, allowing a low-privileged authenticated user to upload a crafted archive and write files to arbitrary paths, potentially altering configuration and impacting availability.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-40898

NVD

nvd.nist.gov/vuln/detail/CVE-2025-40898

MITRE CWE · CWE-22

Improper Limitation of a Pathname to a…

Vendor Advisory

security.nozominetworks.com/NN-2025:15-01

cert-portal.siemens.com

cert-portal.siemens.com/productcert/html/ssa-827968.html