What is the CVSS score of CVE-2025-32991?

CVE-2025-32991 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

How to fix or mitigate CVE-2025-32991?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

CVE-2025-32991

EUVD-2025-208985 CRITICAL

Race Condition (CWE-362)

2026-03-25 mitre

RCE Race Condition

9.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 25, 2026 - 15:00 euvd

EUVD-2025-208985

Analysis Generated

Mar 25, 2026 - 15:00 vuln.today

CVE Published

Mar 25, 2026 - 00:00 nvd

CRITICAL 9.0

DescriptionNVD

In N2WS Backup & Recovery before 4.4.0, a two-step attack against the RESTful API results in remote code execution.

AnalysisAI

N2WS Backup & Recovery before version 4.4.0 contains a remote code execution vulnerability in its RESTful API that requires a two-step attack chain to exploit. An unauthenticated attacker can execute arbitrary code on affected systems, potentially compromising backup and disaster recovery infrastructure. This vulnerability affects the N2WS product line and should be treated as critical given the RCE classification and the security-sensitive nature of backup systems.

Technical ContextAI

The vulnerability exists in the RESTful API implementation of N2WS Backup & Recovery, a cloud-native backup solution commonly deployed in AWS and enterprise environments. The two-step attack methodology suggests a multi-stage exploitation chain, potentially involving initial reconnaissance or credential discovery followed by payload injection or execution. Without specific CWE attribution in available data, the root cause likely involves improper input validation, insecure API design, or unsafe deserialization in the REST endpoint handlers. The N2WS product (cpe:2.3:a:n/a:n/a) is a cloud backup platform that manages snapshots and recovery operations, making its API a high-value target for attackers seeking to compromise backup data integrity and availability.

RemediationAI

Immediately upgrade N2WS Backup & Recovery to version 4.4.0 or later; this is the only confirmed remediation and should be deployed urgently given the RCE severity. Organizations unable to patch immediately should: restrict network access to the N2WS API to trusted internal subnets only, disable or restrict RESTful API functionality if not actively required, implement Web Application Firewall (WAF) rules to inspect and block suspicious multi-step API sequences, and monitor API access logs for exploitation attempts. Consult the vendor security advisory at https://n2ws.com/blog/security-advisory-update for detailed patching instructions, compatibility notes, and any interim mitigations provided by N2WS.

CVE-2025-32991 vulnerability details – vuln.today

Back

CVE-2025-32991

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code