Cyber Resilience

CVE-2025-59706

Critical

Published: 25 March 2026

Published
25 March 2026
Modified
25 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0053 40.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-59706 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in N2Ws N2W. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-59706 is a critical vulnerability in N2W software versions prior to 4.3.2 and 4.4.0 prior to 4.4.1, stemming from improper validation of API request parameters that enables remote code execution. Assigned CWE-290, it received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) upon publication on March 25, 2026.

Remote attackers require only network access to the vulnerable N2W instance, with no authentication, privileges, or user interaction needed. By sending specially crafted API requests, they can achieve arbitrary code execution, resulting in high-impact compromise of confidentiality, integrity, and availability on the affected system.

Vendor advisories, including the security update on the N2W blog and release notes for version 4.3.2, recommend upgrading to N2W 4.3.2 or 4.4.1 to mitigate the issue, as detailed in the referenced documentation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated remote code execution via crafted API requests on a public-facing application, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59707Same product: N2Ws N2W
CVE-2018-25316Shared CWE-290
CVE-2026-0834Shared CWE-290
CVE-2025-69401Shared CWE-290
CVE-2025-27671Shared CWE-290
CVE-2026-31889Shared CWE-290
CVE-2026-35622Shared CWE-290
CVE-2026-34457Shared CWE-290
CVE-2026-8644Shared CWE-290
CVE-2026-3902Shared CWE-290

Affected Assets

n2ws
n2w
≤ 4.3.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires implementation of input validation mechanisms at API request points to prevent remote code execution from specially crafted parameters.

prevent

Ensures timely flaw remediation by patching the improper API parameter validation vulnerability in affected N2W versions.

prevent

Enforces restrictions on API input parameters such as types, ranges, and formats to block malicious requests that bypass validation.

References