Skip to main content

In N2W CVE-2025-59707

| EUVDEUVD-2025-208989 CRITICAL
Authentication Bypass by Spoofing (CWE-290)
2026-03-25 mitre GHSA-gh4v-wrvj-j9x2
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 25, 2026 - 18:07 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 15:00 euvd
EUVD-2025-208989
Analysis Generated
Mar 25, 2026 - 15:00 vuln.today
CVE Published
Mar 25, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

In N2W before 4.3.2 and 4.4.x before 4.4.1, there is potential remote code execution and account credentials theft because of a spoofing vulnerability.

AnalysisAI

N2W versions before 4.3.2 and 4.4.x before 4.4.1 contain a spoofing vulnerability that enables remote code execution and account credential theft. The vulnerability allows attackers to impersonate legitimate entities, potentially leading to arbitrary code execution on affected systems and unauthorized access to sensitive credentials. No CVSS score, EPSS data, or active KEV designation is currently available, limiting immediate risk quantification.

Technical ContextAI

This vulnerability stems from insufficient input validation and authentication mechanisms in N2W, a backup and disaster recovery solution. The spoofing vulnerability (likely related to weak cryptographic verification, insufficient origin validation, or improper handling of authentication tokens) permits attackers to bypass security controls intended to verify legitimate communication partners. While specific CWE classification is not provided in the advisory data, common spoofing vulnerabilities fall under CWE-287 (Improper Authentication), CWE-295 (Improper Certificate Validation), or CWE-347 (Improper Verification of Cryptographic Signature). The affected CPE data (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*) indicates limited CPE specificity in current registries, suggesting either newly registered or insufficiently detailed product metadata.

RemediationAI

Immediately upgrade N2W to version 4.3.2 or later if running 4.3.x, or to version 4.4.1 or later if running 4.4.x (see vendor release notes and security advisory at https://n2ws.zendesk.com/hc/en-us/articles/29817965452701-Release-notes-for-N2W-V4-3-2-August-2025 and https://n2ws.com/blog/security-advisory-update). Until patching is complete, implement network-level access controls to restrict N2W administrative interfaces to trusted internal networks only, enforce encrypted connections (TLS 1.2 or higher) for all N2W communications, and rotate all N2W account credentials. Additionally, review backup system logs for signs of unauthorized access or anomalous authentication attempts.

Share

CVE-2025-59707 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy