Cyber Resilience

CVE-2025-59784

Medium

Published: 04 March 2026

Published
04 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 19.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59784 is a medium-severity Improper Output Neutralization for Logs (CWE-117) vulnerability in 2N Access Commander. Its CVSS base score is 6.9 (Medium).

Operationally, ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-59784 is a log pollution vulnerability (CWE-117) affecting 2N Access Commander version 3.4.1 and prior versions. The issue arises when certain parameters sent over the API are included in logs without prior validation or sanitization, published on 2026-03-04 with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

The vulnerability requires an attacker to first authenticate with administrator privileges before exploitation. A malicious administrator can send crafted API parameters that pollute the logs with unsanitized content, potentially leading to high impacts on confidentiality, integrity, and availability as indicated by the CVSS vector.

The vendor 2N has published an advisory detailing mitigation at https://www.2n.com/en-GB/download/cve_2025_59784_acom_3_5_v1pdf, which references Access Commander 3.5.

EU & UK References

Vulnerability details

2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior validation or sanitisation. This vulnerability can only be exploited after authenticating with administrator privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-59785Same product: 2N Access Commander
CVE-2025-59786Same product: 2N Access Commander
CVE-2025-59783Same product: 2N Access Commander
CVE-2025-57564Shared CWE-117
CVE-2026-34478Shared CWE-117
CVE-2025-27111Shared CWE-117
CVE-2026-25548Shared CWE-117
CVE-2024-9606Shared CWE-117

Affected Assets

2n
access commander
≤ 3.4.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of API input parameters before they are processed or written to logs, blocking the log pollution vector at its source.

prevent

Protects audit log integrity against unauthorized modification or injection by privileged users, limiting the impact of crafted log entries.

prevent

Restricts administrator privileges so that only the minimum necessary accounts can reach the vulnerable API endpoints that write unsanitized parameters to logs.

References