Cyber Resilience

CVE-2025-59785

Medium

Published: 04 March 2026

Published
04 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 17.4th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59785 is a medium-severity Improper Validation of Syntactic Correctness of Input (CWE-1286) vulnerability in 2N Access Commander. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-28 (Protection of Information at Rest) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-59785 is an improper validation vulnerability in an API endpoint of 2N Access Commander version 3.4.2 and prior versions. It enables attackers to bypass the password policy enforced for backup file encryption. The issue is cataloged under CWE-1286 and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on 2026-03-04.

Exploitation requires an attacker to first authenticate with administrator privileges on the affected system. Once authenticated, the attacker can invoke the vulnerable API endpoint to circumvent password policy requirements during backup file creation, potentially resulting in weakly protected backups that expose sensitive configuration data, user credentials, or access control information. The high-impact CVSS vector indicates significant confidentiality, integrity, and availability consequences in a network-accessible environment with low attack complexity.

The vendor 2N has issued an advisory detailing mitigation, available at https://www.2n.com/en-GB/download/cve_2025_59785_acom_3_5_v1pdf, which addresses the issue in Access Commander version 3.5. Security practitioners should apply the patch promptly and review access logs for unauthorized admin activity on vulnerable installations.

EU & UK References

Vulnerability details

Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption. This vulnerability can only be exploited after authenticating with administrator privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Direct exploitation of public-facing API endpoint (T1190) to bypass encryption policy, resulting in credential exposure via weakly protected backup files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-59783Same product: 2N Access Commander
CVE-2025-59784Same product: 2N Access Commander
CVE-2025-59786Same product: 2N Access Commander
CVE-2026-40198Shared CWE-1286
CVE-2025-41719Shared CWE-1286
CVE-2026-21917Shared CWE-1286
CVE-2026-33778Shared CWE-1286
CVE-2025-0638Shared CWE-1286
CVE-2026-6442Shared CWE-1286
CVE-2025-22868Shared CWE-1286

Affected Assets

2n
access commander
≤ 3.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of API inputs to block the improper endpoint handling that bypasses the backup encryption password policy.

prevent

Mandates cryptographic protection of information at rest, ensuring backup files remain confidential even if a weak encryption password is accepted.

CP-9 System Backup partial match
prevent

Requires protection of backup confidentiality and integrity per the system security plan, mitigating exposure from policy-bypassed encrypted backups.

References