Nozomi Remote Collector TLS Certificate Verification Bypass Vulnerability
When the upstream Guardian or CMC was configured in the Remote Collector via n2os-tui, the generated configuration disabled TLS certificate verification, and no option was provided to enable it. A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Remote Collector and the Guardian or CMC. This could result in theft of the sync token, impersonation of the server, injection of spoofed data (such as false asset information or vulnerabilities) into the Guardian or CMC, or disruption of the data flow between the Remote Collector and the Guardian or CMC.
Quick answer
Nozomi Networks Remote Collector should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Nozomi Networks Remote Collector before 26.2.0
Fixed versions
- 26.2.0
How to fix it
Nozomi Remote Collector before 26.2.0 is affected by CVE-2026-31985. TLS certificate verification is disabled when configured through n2os-tui, allowing MITM interception of Remote Collector communication with Guardian or CMC. Upgrade to 26.2.0, replace exposed sync tokens if interception is suspected, and ensure collector-to-server communication is protected by trusted certificate validation.
- Inventory affected Nozomi Remote Collector deployments and record appliance, sensor, and collector versions.
- Upgrade affected systems from before 26.2.0 to 26.2.0 or later.
- Apply the vendor mitigation if an immediate upgrade cannot be completed.
- Restrict management, synchronization, SAML, and collector interfaces to trusted networks only.
- Review users, roles, sync tokens, certificates, and recent configuration changes for suspicious activity.
- Back up known-good configuration before remediation and after the patched state is confirmed.
- Monitor appliance health, audit logs, and authentication events for repeated exploit attempts.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Nozomi Remote Collector is running 26.2.0 or later where applicable.
- Retest the affected workflow in staging or a maintenance window and confirm the vulnerable behavior is blocked.
- Review audit logs after remediation for failed attempts against the affected endpoint or feature.
- Confirm legitimate synchronization, SAML, SSH key, or visualization workflows still work as expected.
- Run a Fixnx scan and confirm public management interfaces are not exposed.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-31985?
Nozomi Networks Remote Collector versions listed as affected should be reviewed: Nozomi Networks Remote Collector before 26.2.0.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
