Cyber Resilience

CVE-2025-32991

Critical

Published: 25 March 2026

Published
25 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0034 25.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-32991 is a critical-severity Race Condition (CWE-362) vulnerability in N2W Backup\& Recovery. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-32991 is a remote code execution vulnerability in N2WS Backup & Recovery versions before 4.4.0. It stems from a two-step attack targeting the product's RESTful API and is linked to CWE-362 (race condition). The issue carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, high impact across confidentiality, integrity, and availability, and scope change upon exploitation. The vulnerability was published on 2026-03-25.

Unauthenticated attackers can exploit this over the network without user interaction, though the two-step process imposes high attack complexity. Successful exploitation grants remote code execution, enabling full control over the affected system with high impacts on data confidentiality, system integrity, and availability.

Vendor advisories, including the security update at https://n2ws.com/blog/security-advisory-update and details on https://www.n2ws.com, address mitigation. Upgrading to N2WS Backup & Recovery 4.4.0 or later resolves the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In N2WS Backup & Recovery before 4.4.0, a two-step attack against the RESTful API results in remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2025-32991 is a critical unauthenticated RCE vulnerability in a public-facing RESTful API of N2WS Backup & Recovery, directly enabling exploitation of public-facing applications for initial access and system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32887Shared CWE-362
CVE-2025-69871Shared CWE-362
CVE-2025-25214Shared CWE-362
CVE-2026-41964Shared CWE-362
CVE-2026-33009Shared CWE-362
CVE-2025-50177Shared CWE-362
CVE-2026-25536Shared CWE-362
CVE-2026-32242Shared CWE-362
CVE-2025-33254Shared CWE-362
CVE-2026-5947Shared CWE-362

Affected Assets

n2w
backup\& recovery
≤ 4.3.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Applying vendor patches to N2WS Backup & Recovery 4.4.0 or later directly remediates the race condition vulnerability enabling RCE via the RESTful API.

prevent

Responding to vendor security advisories, such as the N2WS update for CVE-2025-32991, ensures timely flaw remediation to prevent exploitation.

detect

Vulnerability scanning identifies the presence of CVE-2025-32991 in N2WS versions before 4.4.0, enabling proactive patching of the API race condition.

References