Description
In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables remote code execution.
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from insufficient validation of API request parameters in N2W versions prior to 4.3.2 in the 4.3 line and before 4.4.1 in the 4.4 line. This flaw allows an attacker to manipulate the parameters sent to the API to execute arbitrary code on the server. The impact is a remote code execution, which in effect could give the attacker full control over the affected system. The extent of control is inferred; the description states that code can be executed, and such execution typically enables system-wide compromise.

Affected Systems

N2W is the affected product. Versions earlier than 4.3.2 in the 4.3 series and earlier than 4.4.1 in the 4.4 series are vulnerable. No other product or vendor details are provided beyond the product name. Organizations using these or older releases must evaluate whether they are exposed.

Risk and Exploitability

The severity is high, with a CVSS score of 9.8. The EPSS score is below 1%, suggesting few observed exploits in the wild, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is remote, inferred from the fact that the flaw is exercised through API requests. An attacker needs the ability to send crafted API requests over the network to the exposed endpoints; no additional privileges are required. Because the flaw permits arbitrary code execution, the risk remains substantial despite the low EPSS.

Generated by OpenCVE AI on March 27, 2026 at 10:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade N2W to version 4.3.2 or later if using the 4.3 series, or to 4.4.1 or later if using the 4.4 series.
  • Verify the update includes the security fix by reviewing the release notes at the vendor URLs provided.
  • If an upgrade cannot be performed immediately, restrict API access to trusted IPs or network segments and monitor for anomalous API traffic.
  • Consider disabling or limiting the vulnerable API endpoints until a patch is applied.
  • Document these changes and update incident response plans to include this vulnerability.

Generated by OpenCVE AI on March 27, 2026 at 10:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Improper API Parameter Validation in N2W

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Improper API Parameter Validation in N2W
Weaknesses CWE-20

Fri, 27 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared N2w
N2w n2w
Weaknesses CWE-290
CPEs cpe:2.3:a:n2w:n2w:*:*:*:*:*:*:*:*
Vendors & Products N2w
N2w n2w
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Improper API Parameter Validation in N2W
Weaknesses CWE-20

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Unvalidated API Parameters in N2W
Weaknesses CWE-20
CWE-94

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared N2ws
N2ws n2w
Vendors & Products N2ws
N2ws n2w

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Unvalidated API Parameters in N2W
Weaknesses CWE-20
CWE-94

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables remote code execution.
References
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T03:55:43.288Z

Reserved: 2025-09-19T00:00:00.000Z

Link: CVE-2025-59706

cve-icon Vulnrichment

Updated: 2026-03-27T03:55:37.946Z

cve-icon NVD

Status : Modified

Published: 2026-03-25T15:16:29.140

Modified: 2026-03-27T05:16:02.043

Link: CVE-2025-59706

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T15:48:11Z

Weaknesses