CVE-2025-59707

| EUVD-2025-208989 CRITICAL
2026-03-25 mitre GHSA-gh4v-wrvj-j9x2
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 15:00 vuln.today
EUVD ID Assigned
Mar 25, 2026 - 15:00 euvd
EUVD-2025-208989
CVE Published
Mar 25, 2026 - 00:00 nvd
CRITICAL 9.8

Tags

RCE Authentication Bypass

Description

In N2W before 4.3.2 and 4.4.x before 4.4.1, there is potential remote code execution and account credentials theft because of a spoofing vulnerability.

Analysis

N2W versions before 4.3.2 and 4.4.x before 4.4.1 contain a spoofing vulnerability that enables remote code execution and account credential theft. The vulnerability allows attackers to impersonate legitimate entities, potentially leading to arbitrary code execution on affected systems and unauthorized access to sensitive credentials. No CVSS score, EPSS data, or active KEV designation is currently available, limiting immediate risk quantification.

Technical Context

This vulnerability stems from insufficient input validation and authentication mechanisms in N2W, a backup and disaster recovery solution. The spoofing vulnerability (likely related to weak cryptographic verification, insufficient origin validation, or improper handling of authentication tokens) permits attackers to bypass security controls intended to verify legitimate communication partners. While specific CWE classification is not provided in the advisory data, common spoofing vulnerabilities fall under CWE-287 (Improper Authentication), CWE-295 (Improper Certificate Validation), or CWE-347 (Improper Verification of Cryptographic Signature). The affected CPE data (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*) indicates limited CPE specificity in current registries, suggesting either newly registered or insufficiently detailed product metadata.

Affected Products

N2W versions prior to 4.3.2 and all 4.4.x versions before 4.4.1 are affected. Customers currently on N2W 4.3.x should upgrade to 4.3.2 or later, and those on 4.4.x should upgrade to 4.4.1 or later. The vendor has published release notes and security advisories at https://n2ws.zendesk.com/hc/en-us/articles/29817965452701-Release-notes-for-N2W-V4-3-2-August-2025 and https://n2ws.com/blog/security-advisory-update for detailed patching information. Additional information is available from the vendor's main site at https://www.n2ws.com.

Remediation

Immediately upgrade N2W to version 4.3.2 or later if running 4.3.x, or to version 4.4.1 or later if running 4.4.x (see vendor release notes and security advisory at https://n2ws.zendesk.com/hc/en-us/articles/29817965452701-Release-notes-for-N2W-V4-3-2-August-2025 and https://n2ws.com/blog/security-advisory-update). Until patching is complete, implement network-level access controls to restrict N2W administrative interfaces to trusted internal networks only, enforce encrypted connections (TLS 1.2 or higher) for all N2W communications, and rotate all N2W account credentials. Additionally, review backup system logs for signs of unauthorized access or anomalous authentication attempts.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: 0

Share

CVE-2025-59707 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy