Nozomi Networks Guardian and CMC Smart Polling Authenticated SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Smart Polling feature of Nozomi Networks Guardian and CMC versions prior to 25.2.0. This vulnerability arises from inadequate validation of an input parameter, allowing an authenticated user with limited privileges to execute arbitrary SELECT SQL statements on the application's database management system. Such exploitation could lead to the unauthorized exposure of data.

Impact

Exploitation of this vulnerability allows authenticated users with limited privileges to execute arbitrary SELECT SQL statements on the application's database management system, potentially leading to unauthorized data exposure.

Remediation

Users are advised to upgrade to version 25.2.0 or later. Additionally, it is recommended to use internal firewall features to restrict access to the web management interface and to review and remove unnecessary accounts with access to this interface.