NN-2025:18-01
Lack of TLS certificate validation when connecting Arc to a Guardian or CMC, in Arc before v2.2.0
Last update: 2026-03-04
| Advisory ID | NN-2025:18-01 |
|---|---|
| Topic | Lack of TLS certificate validation when connecting Arc to a Guardian or CMC, in Arc before v2.2.0 |
| CWE Impact | CWE-295: Improper Certificate Validation |
| Issue date | 2026-03-04 |
| Affects | Arc < v2.2.0 |
| CVE Name(s) | CVE-2025-40896 |
| CVSS Details | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVSS Score | 6.3 (CVSS v4.0) 6.5 (CVSS v3.1) |
| CVE Risk Level | Medium (CVSS v4.0) Medium (CVSS v3.1) |
| Risk Level for Nozomi customers | Medium |
Summary
The server certificate was not verified when an Arc agent connected to a Guardian or CMC.
Impact
A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Arc agent and the Guardian or CMC. This could result in theft of the client token and sensitive information (such as assets and alerts), impersonation of the server, or injection of spoofed data (such as false asset information or vulnerabilities) into the Guardian or CMC.
Affected Products
Arc < v2.2.0
Workarounds and Mitigations
N/A
Solutions
Upgrade Arc to v2.2.0 or later.
Modification History
2026-03-04: Initial revision
Related Links
Acknowledgements
We thank the following parties for their efforts:
- Felix Eberstaller of Limes Security for finding this issue during a VAPT testing session commissioned by one of our customers
Contact
Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.More contact details on the PSIRT page.