CVE-2025-59784
Published: 04 March 2026
Summary
CVE-2025-59784 is a medium-severity Improper Output Neutralization for Logs (CWE-117) vulnerability in 2N Access Commander. Its CVSS base score is 6.9 (Medium).
Operationally, ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-59784 is a log pollution vulnerability (CWE-117) affecting 2N Access Commander version 3.4.1 and prior versions. The issue arises when certain parameters sent over the API are included in logs without prior validation or sanitization, published on 2026-03-04 with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
The vulnerability requires an attacker to first authenticate with administrator privileges before exploitation. A malicious administrator can send crafted API parameters that pollute the logs with unsanitized content, potentially leading to high impacts on confidentiality, integrity, and availability as indicated by the CVSS vector.
The vendor 2N has published an advisory detailing mitigation at https://www.2n.com/en-GB/download/cve_2025_59784_acom_3_5_v1pdf, which references Access Commander 3.5.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208277
Vulnerability details
2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior validation or sanitisation. This vulnerability can only be exploited after authenticating with administrator privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of API input parameters before they are processed or written to logs, blocking the log pollution vector at its source.
Protects audit log integrity against unauthorized modification or injection by privileged users, limiting the impact of crafted log entries.
Restricts administrator privileges so that only the minimum necessary accounts can reach the vulnerable API endpoints that write unsanitized parameters to logs.