CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-13090 – Privilege escalation in Guardian/CMC before 24.6.0
https://notcve.org/view.php?id=CVE-2024-13090
10 Jun 2025 — A privilege escalation vulnerability may enable a service account to elevate its privileges. The sudo rules configured for a local service account were excessively permissive, potentially allowing administrative access if a malicious actor could execute arbitrary commands as that account. It is important to note that no such vector has been identified in this instance. Una vulnerabilidad de escalada de privilegios podría permitir que una cuenta de servicio eleve sus privilegios. Las reglas de sudo configura... • https://security.nozominetworks.com/NN-2025:2-01 • CWE-250: Execution with Unnecessary Privileges •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-13089 – Authenticated RCE in update functionality in Guardian/CMC before 24.6.0
https://notcve.org/view.php?id=CVE-2024-13089
10 Jun 2025 — An OS command injection vulnerability within the update functionality may allow an authenticated administrator to execute unauthorized arbitrary OS commands. Users with administrative privileges may upload update packages to upgrade the versions of Nozomi Networks Guardian and CMC. While these updates are signed and their signatures are validated prior to installation, an improper signature validation check has been identified. This issue could potentially enable users to execute commands remotely on the ap... • https://security.nozominetworks.com/NN-2025:1-01 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-4465 – Incorrect authorization for Reports configuration in Guardian/CMC before 24.2.0
https://notcve.org/view.php?id=CVE-2024-4465
11 Sep 2024 — An access control vulnerability was discovered in the Reports section due to a specific access restriction not being properly enforced for users with limited privileges. If a logged-in user with reporting privileges learns how to create a specific application request, they might be able to make limited changes to the reporting configuration. This could result in a partial loss of data integrity. In Guardian/CMC instances with a reporting configuration, there could be limited Denial of Service (DoS) impacts,... • https://security.nozominetworks.com/NN-2024:2-01 • CWE-863: Incorrect Authorization •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-6916 – Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1
https://notcve.org/view.php?id=CVE-2023-6916
10 Apr 2024 — Audit records for OpenAPI requests may include sensitive information. This could lead to unauthorized accesses and privilege escalation. Los registros de auditoría de solicitudes de OpenAPI pueden incluir información confidencial. Esto podría provocar accesos no autorizados y escalada de privilegios. • https://security.nozominetworks.com/NN-2023:17-01 • CWE-201: Insertion of Sensitive Information Into Sent Data CWE-522: Insufficiently Protected Credentials •