CVE-2025-59706
Published: 25 March 2026
Summary
CVE-2025-59706 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in N2Ws N2W. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-59706 is a critical vulnerability in N2W software versions prior to 4.3.2 and 4.4.0 prior to 4.4.1, stemming from improper validation of API request parameters that enables remote code execution. Assigned CWE-290, it received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) upon publication on March 25, 2026.
Remote attackers require only network access to the vulnerable N2W instance, with no authentication, privileges, or user interaction needed. By sending specially crafted API requests, they can achieve arbitrary code execution, resulting in high-impact compromise of confidentiality, integrity, and availability on the affected system.
Vendor advisories, including the security update on the N2W blog and release notes for version 4.3.2, recommend upgrading to N2W 4.3.2 or 4.4.1 to mitigate the issue, as detailed in the referenced documentation.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208987
Vulnerability details
In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote code execution via crafted API requests on a public-facing application, directly mapping to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires implementation of input validation mechanisms at API request points to prevent remote code execution from specially crafted parameters.
Ensures timely flaw remediation by patching the improper API parameter validation vulnerability in affected N2W versions.
Enforces restrictions on API input parameters such as types, ranges, and formats to block malicious requests that bypass validation.