CVE-2025-32991

| EUVD-2025-208985 CRITICAL
2026-03-25 mitre
9.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 15:00 vuln.today
EUVD ID Assigned
Mar 25, 2026 - 15:00 euvd
EUVD-2025-208985
CVE Published
Mar 25, 2026 - 00:00 nvd
CRITICAL 9.0

Tags

RCE Race Condition

Description

In N2WS Backup & Recovery before 4.4.0, a two-step attack against the RESTful API results in remote code execution.

Analysis

N2WS Backup & Recovery before version 4.4.0 contains a remote code execution vulnerability in its RESTful API that requires a two-step attack chain to exploit. An unauthenticated attacker can execute arbitrary code on affected systems, potentially compromising backup and disaster recovery infrastructure. This vulnerability affects the N2WS product line and should be treated as critical given the RCE classification and the security-sensitive nature of backup systems.

Technical Context

The vulnerability exists in the RESTful API implementation of N2WS Backup & Recovery, a cloud-native backup solution commonly deployed in AWS and enterprise environments. The two-step attack methodology suggests a multi-stage exploitation chain, potentially involving initial reconnaissance or credential discovery followed by payload injection or execution. Without specific CWE attribution in available data, the root cause likely involves improper input validation, insecure API design, or unsafe deserialization in the REST endpoint handlers. The N2WS product (cpe:2.3:a:n/a:n/a) is a cloud backup platform that manages snapshots and recovery operations, making its API a high-value target for attackers seeking to compromise backup data integrity and availability.

Affected Products

N2WS Backup & Recovery versions prior to 4.4.0 are affected by this vulnerability. The affected product is identified by the N2WS vendor (referenced at https://www.n2ws.com and https://n2ws.com/blog/security-advisory-update). Organizations running any version before 4.4.0 should be considered vulnerable; the lack of granular CPE data suggests broad impact across the product line. For precise version inventory and deployment scope, refer to the vendor security advisory at n2ws.com/blog/security-advisory-update.

Remediation

Immediately upgrade N2WS Backup & Recovery to version 4.4.0 or later; this is the only confirmed remediation and should be deployed urgently given the RCE severity. Organizations unable to patch immediately should: restrict network access to the N2WS API to trusted internal subnets only, disable or restrict RESTful API functionality if not actively required, implement Web Application Firewall (WAF) rules to inspect and block suspicious multi-step API sequences, and monitor API access logs for exploitation attempts. Consult the vendor security advisory at https://n2ws.com/blog/security-advisory-update for detailed patching instructions, compatibility notes, and any interim mitigations provided by N2WS.

Priority Score

45
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +45
POC: 0

Share

CVE-2025-32991 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy