Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
6.3

Arc Agent Connection to Guardian or CMC Not Secure

CVE-2025-40896
Summary

If an Arc agent connects to a Guardian or CMC without verifying the server's identity, a malicious actor could intercept sensitive information, pretend to be the server, or inject fake data. This could lead to data theft, unauthorized access, or tampering. To fix this, ensure server certificate verification is enabled for Arc agent connections to Guardains and CMCs.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
nozominetworks arc <= 2.2.0 –
Original title
The server certificate was not verified when an Arc agent connected to a Guardian or CMC. A malicious actor could perform a man-in-the-middle attack and intercept the communication between the A...
Original description
The server certificate was not verified when an Arc agent connected to a Guardian or CMC.



A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Arc agent and the Guardian or CMC. This could result in theft of the client token and sensitive information (such as assets and alerts), impersonation of the server, or injection of spoofed data (such as false asset information or vulnerabilities) into the Guardian or CMC.
nvd CVSS3.1 4.8
nvd CVSS4.0 6.3
Vulnerability type
CWE-295 Improper Certificate Validation
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026