Skip to main content

In N2W CVE-2025-59706

| EUVDEUVD-2025-208987 CRITICAL
Authentication Bypass by Spoofing (CWE-290)
2026-03-25 mitre GHSA-9hv9-fhrr-m92v
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 25, 2026 - 18:07 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 15:00 euvd
EUVD-2025-208987
Analysis Generated
Mar 25, 2026 - 15:00 vuln.today
CVE Published
Mar 25, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables remote code execution.

AnalysisAI

N2W versions prior to 4.3.2 and 4.4.0 prior to 4.4.1 contain improper validation of API request parameters that enables unauthenticated remote code execution. An attacker can craft malicious API requests to bypass input validation and achieve arbitrary code execution on affected systems. This vulnerability affects cloud backup and disaster recovery infrastructure and poses critical risk to data protection environments.

Technical ContextAI

N2W is a backup and disaster recovery solution for cloud environments. The vulnerability stems from insufficient input validation in API request parameter handling, classified under improper input validation practices. The root cause involves the API endpoint failing to properly sanitize or validate user-supplied parameters before processing them, allowing injection of malicious payloads. This affects the core API processing logic that handles customer requests across versions 4.3.x (before 4.3.2) and 4.4.0 (before 4.4.1). The improper validation weakness allows attackers to bypass security controls designed to restrict API parameter values.

RemediationAI

Immediately upgrade N2W to version 4.3.2 or later (for the 4.3.x branch) or version 4.4.1 or later (for the 4.4.x branch). Refer to the official vendor release notes at https://n2ws.zendesk.com/hc/en-us/articles/29817965452701-Release-notes-for-N2W-V4-3-2-August-2025 for upgrade procedures. If immediate patching is not feasible, implement network-level controls to restrict API access to trusted internal networks only, disable remote API access if not required for operations, and monitor API logs for suspicious parameter values or injection attempts. Apply patches during the next maintenance window if immediate deployment is not possible, but prioritize this remediation given the remote code execution severity.

Share

CVE-2025-59706 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy