EUVD-2025-208987

| CVE-2025-59706 CRITICAL
2026-03-25 mitre GHSA-9hv9-fhrr-m92v
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 15:00 vuln.today
EUVD ID Assigned
Mar 25, 2026 - 15:00 euvd
EUVD-2025-208987
CVE Published
Mar 25, 2026 - 00:00 nvd
CRITICAL 9.8

Tags

RCE Authentication Bypass

Description

In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables remote code execution.

Analysis

N2W versions prior to 4.3.2 and 4.4.0 prior to 4.4.1 contain improper validation of API request parameters that enables unauthenticated remote code execution. An attacker can craft malicious API requests to bypass input validation and achieve arbitrary code execution on affected systems. This vulnerability affects cloud backup and disaster recovery infrastructure and poses critical risk to data protection environments.

Technical Context

N2W is a backup and disaster recovery solution for cloud environments. The vulnerability stems from insufficient input validation in API request parameter handling, classified under improper input validation practices. The root cause involves the API endpoint failing to properly sanitize or validate user-supplied parameters before processing them, allowing injection of malicious payloads. This affects the core API processing logic that handles customer requests across versions 4.3.x (before 4.3.2) and 4.4.0 (before 4.4.1). The improper validation weakness allows attackers to bypass security controls designed to restrict API parameter values.

Affected Products

N2W versions 4.3.0 through 4.3.1 and version 4.4.0 are affected by this vulnerability. The vendor has issued patches in N2W version 4.3.2 (released August 2025) and N2W version 4.4.1. Additional details are available in the N2W release notes at https://n2ws.zendesk.com/hc/en-us/articles/29817965452701-Release-notes-for-N2W-V4-3-2-August-2025 and the security advisory at https://n2ws.com/blog/security-advisory-update. The vendor's official website is https://www.n2ws.com.

Remediation

Immediately upgrade N2W to version 4.3.2 or later (for the 4.3.x branch) or version 4.4.1 or later (for the 4.4.x branch). Refer to the official vendor release notes at https://n2ws.zendesk.com/hc/en-us/articles/29817965452701-Release-notes-for-N2W-V4-3-2-August-2025 for upgrade procedures. If immediate patching is not feasible, implement network-level controls to restrict API access to trusted internal networks only, disable remote API access if not required for operations, and monitor API logs for suspicious parameter values or injection attempts. Apply patches during the next maintenance window if immediate deployment is not possible, but prioritize this remediation given the remote code execution severity.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: 0

Share

EUVD-2025-208987 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy