Cyber Resilience

CVE-2025-59786

Medium

Published: 04 March 2026

Published
04 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v4 6.0 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0025 16.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-59786 is a medium-severity Insufficient Session Expiration (CWE-613) vulnerability in 2N Access Commander. Its CVSS base score is 6.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Session Cookie (T1550.004); ranked at the 16.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-59786 is a critical vulnerability in 2N Access Commander versions 3.4.2 and prior, where the web application improperly invalidates session tokens upon logout. This flaw allows multiple session cookies to remain active, enabling persistent unauthorized access even after a user logs out. The issue is classified under CWE-613 (Insufficient Session Expiration) and carries a CVSS v3.1 base score of 9.8, reflecting its high severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

A remote, unauthenticated attacker can exploit this vulnerability over the network by obtaining a valid session cookie, such as through network sniffing or prior compromise, and reusing it post-logout to maintain access. Successful exploitation grants high-impact privileges, compromising confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing full control over the affected web application and associated access control functions.

The vendor has published an advisory with mitigation details, including a patch for 2N Access Commander version 3.5, available at https://www.2n.com/en-GB/download/cve_2025_59786_acom_3_5_v1pdf. Security practitioners should prioritize upgrading to the patched version and review session management configurations to prevent similar issues.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

Vulnerability enables reuse of valid web session cookies post-logout (via prior theft/sniffing), directly facilitating Use Alternate Authentication Material with Web Session Cookies for persistent unauthorized access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59783Same product: 2N Access Commander
CVE-2025-59785Same product: 2N Access Commander
CVE-2025-59784Same product: 2N Access Commander
CVE-2025-57735Shared CWE-613
CVE-2025-36377Shared CWE-613
CVE-2025-22386Shared CWE-613
CVE-2026-44511Shared CWE-613
CVE-2026-34828Shared CWE-613
CVE-2026-25476Shared CWE-613
CVE-2026-1435Shared CWE-613

Affected Assets

2n
access commander
≤ 3.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires automatic termination of user sessions upon logout or defined events, preventing unauthorized access via uninvalidated session tokens and cookies.

preventrecover

Mandates timely identification, reporting, and correction of flaws like improper session token invalidation through vendor patching to version 3.5.

prevent

Limits concurrent sessions per user or account, mitigating risks from multiple active session cookies persisting after logout.

References