CVE-2025-59786

Critical

Published: 04 March 2026

Published

04 March 2026

Modified

05 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59786 is a critical-severity Insufficient Session Expiration (CWE-613) vulnerability in 2N Access Commander. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Session Cookie (T1550.004); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Web Session Cookie (T1550.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-12 Session Termination good match

prevent

Directly requires automatic termination of user sessions upon logout or defined events, preventing unauthorized access via uninvalidated session tokens and cookies.

SI-2 Flaw Remediation good match

preventrecover

Mandates timely identification, reporting, and correction of flaws like improper session token invalidation through vendor patching to version 3.5.

AC-10 Concurrent Session Control partial match

prevent

Limits concurrent sessions per user or account, mitigating risks from multiple active session cookies persisting after logout.

MITRE ATT&CK Enterprise TechniquesAI

T1550.004 Web Session Cookie Lateral Movement

Adversaries can use stolen session cookies to authenticate to web applications and services.

attack.mitre.org →

Why these techniques?

Vulnerability enables reuse of valid web session cookies post-logout (via prior theft/sniffing), directly facilitating Use Alternate Authentication Material with Web Session Cookies for persistent unauthorized access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.

Deeper analysisAI

CVE-2025-59786 is a critical vulnerability in 2N Access Commander versions 3.4.2 and prior, where the web application improperly invalidates session tokens upon logout. This flaw allows multiple session cookies to remain active, enabling persistent unauthorized access even after a user logs out. The issue is classified under CWE-613 (Insufficient Session Expiration) and carries a CVSS v3.1 base score of 9.8, reflecting its high severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

A remote, unauthenticated attacker can exploit this vulnerability over the network by obtaining a valid session cookie, such as through network sniffing or prior compromise, and reusing it post-logout to maintain access. Successful exploitation grants high-impact privileges, compromising confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing full control over the affected web application and associated access control functions.

The vendor has published an advisory with mitigation details, including a patch for 2N Access Commander version 3.5, available at https://www.2n.com/en-GB/download/cve_2025_59786_acom_3_5_v1pdf. Security practitioners should prioritize upgrading to the patched version and review session management configurations to prevent similar issues.