Description
In N2WS Backup & Recovery before 4.4.0, a two-step attack against the RESTful API results in remote code execution.
Published: 2026-03-25
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A two‑step attack against the RESTful API of N2WS Backup & Recovery can lead to arbitrary code execution. The weakness is a race condition that allows an attacker to manipulate the execution sequence of concurrent requests, enabling them to run malicious code with the privileges of the backup service. This could compromise the entire server, allowing full control over files, configuration, and potentially all data handled by the application.

Affected Systems

The vulnerability applies to N2WS Backup & Recovery versions prior to 4.4.0. All installations running the API exposed before this release are at risk, regardless of other configuration settings.

Risk and Exploitability

The CVSS score of 9 indicates a high severity level. The EPSS score of less than 1% shows that documented exploits are unlikely to be widely available. The vulnerability is not listed in the CISA KEV catalog, but the exploit path relies on exposure of the REST API over a network. Attackers who can reach the API endpoint can perform the dual‑step maneuver to trigger the race condition, leading to code execution without additional privileges.

Generated by OpenCVE AI on March 26, 2026 at 21:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official update to N2WS Backup & Recovery version 4.4.0 or later.
  • If an immediate patch is not possible, isolate the backup server from untrusted networks and restrict API access to trusted hosts only.
  • Continuously monitor the API for abnormal usage patterns or unexpected file system changes.

Generated by OpenCVE AI on March 26, 2026 at 21:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Dual‑Step REST API Attack in N2WS Backup & Recovery

Thu, 26 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared N2w
N2w backup\& Recovery
CPEs cpe:2.3:a:n2w:backup\&_recovery:*:*:*:*:*:*:*:*
Vendors & Products N2w
N2w backup\& Recovery

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared N2ws
N2ws backup And Recovery
Vendors & Products N2ws
N2ws backup And Recovery

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Dual‑Step REST API Attack in N2WS Backup & Recovery

Wed, 25 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
Metrics cvssV3_1

{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description In N2WS Backup & Recovery before 4.4.0, a two-step attack against the RESTful API results in remote code execution.
References

Subscriptions

N2w Backup\& Recovery
N2ws Backup And Recovery
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-25T15:55:46.019Z

Reserved: 2025-04-15T00:00:00.000Z

Link: CVE-2025-32991

cve-icon Vulnrichment

Updated: 2026-03-25T15:55:38.670Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T15:16:28.507

Modified: 2026-03-26T20:36:42.620

Link: CVE-2025-32991

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:32Z

Weaknesses