Cyber Posture

CVE-2025-32991

Critical

Published: 25 March 2026

Published
25 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0029 52.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32991 is a critical-severity Race Condition (CWE-362) vulnerability in N2W Backup\& Recovery. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Applying vendor patches to N2WS Backup & Recovery 4.4.0 or later directly remediates the race condition vulnerability enabling RCE via the RESTful API.

SI-5 Security Alerts, Advisories, and Directives good match
prevent

Responding to vendor security advisories, such as the N2WS update for CVE-2025-32991, ensures timely flaw remediation to prevent exploitation.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Vulnerability scanning identifies the presence of CVE-2025-32991 in N2WS versions before 4.4.0, enabling proactive patching of the API race condition.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

CVE-2025-32991 is a critical unauthenticated RCE vulnerability in a public-facing RESTful API of N2WS Backup & Recovery, directly enabling exploitation of public-facing applications for initial access and system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

In N2WS Backup & Recovery before 4.4.0, a two-step attack against the RESTful API results in remote code execution.

Deeper analysisAI

CVE-2025-32991 is a remote code execution vulnerability in N2WS Backup & Recovery versions before 4.4.0. It stems from a two-step attack targeting the product's RESTful API and is linked to CWE-362 (race condition). The issue carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, high impact across confidentiality, integrity, and availability, and scope change upon exploitation. The vulnerability was published on 2026-03-25.

Unauthenticated attackers can exploit this over the network without user interaction, though the two-step process imposes high attack complexity. Successful exploitation grants remote code execution, enabling full control over the affected system with high impacts on data confidentiality, system integrity, and availability.

Vendor advisories, including the security update at https://n2ws.com/blog/security-advisory-update and details on https://www.n2ws.com, address mitigation. Upgrading to N2WS Backup & Recovery 4.4.0 or later resolves the vulnerability.

Details

CWE(s)
CWE-362

Affected Products

n2w
backup\& recovery
≤ 4.3.2

CVEs Like This One

CVE-2026-32887Shared CWE-362
CVE-2025-25214Shared CWE-362
CVE-2025-69871Shared CWE-362
CVE-2026-32242Shared CWE-362
CVE-2026-25536Shared CWE-362
CVE-2026-33009Shared CWE-362
CVE-2025-50177Shared CWE-362
CVE-2025-33238Shared CWE-362
CVE-2025-33254Shared CWE-362
CVE-2025-54955Shared CWE-362

References