CVE-2025-59707 - Vulnerability Details

- Remote Code Execution via Spoofing in N2W before 4.3.2

Description

In N2W before 4.3.2 and 4.4.x before 4.4.1, there is potential remote code execution and account credentials theft because of a spoofing vulnerability.

Published: 2026-03-25

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In N2W software versions older than 4.3.2 and 4.4.x older than 4.4.1, a spoofing vulnerability permits attackers to execute arbitrary code remotely and obtain account credentials. This flaw arises from incorrect permission assignment for critical resources (CWE-290). The result is total compromise of confidentiality, integrity, and availability, allowing attackers to gain unrestricted system access and exfiltrate sensitive data.

Affected Systems

The affected vendor is N2W, product N2W. Versions before 4.3.2 and before 4.4.1 are impacted. The vulnerability is present across all prior releases up to and including those versions, affecting organizations that have not yet applied the patch released in N2W V4.3.2 and V4.4.1.

Risk and Exploitability

The CVSS score of 9.8 places the flaw in the critical severity range, while the EPSS score of less than 1% suggests a low probability of exploitation. It is not captured in the CISA KEV catalog. Based on the description, the attack vector is likely remote, with the attacker exploiting the application logic over the network, possibly through web interfaces or API calls. Exploitation requires the ability to send crafted requests that are treated as legitimate user actions, hence the spoofing context.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:n2w:n2w::::::::
	cpe:2.3:a:n2w:n2w:4.4.0:::::::*

No data.

Vendor Product Confidence Versions

N2ws

N2w

70%

Version	Status	Scheme	Platform
`[0,4.3.2)`	affected	semver	—
`[0,4.4.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade N2W to version 4.3.2 or newer, which contains the security fix
If an upgrade is not immediately feasible, restrict access to N2W management interfaces to trusted IP ranges and enforce strong authentication mechanisms
Continuously monitor authentication logs and network traffic for suspicious activity and alert administrators of potential compromise

Generated by OpenCVE AI on March 27, 2026 at 10:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00282.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://n2ws.com/blog/security-advisory-update
https://n2ws.zendesk.com/hc/en-us/articles/29817965452701-Release-notes-for-N2W-V4-3-2-August-2025
https://www.n2ws.com

History

Fri, 27 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Title		Remote Code Execution via Spoofing in N2W before 4.3.2

Fri, 27 Mar 2026 09:30:00 +0000

Type	Values Removed	Values Added
Title	Remote Code Execution via Spoofing in N2W versions prior to 4.4.1
Weaknesses	CWE-200 CWE-285

Fri, 27 Mar 2026 05:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		N2w N2w n2w
Weaknesses		CWE-290
CPEs		cpe:2.3:a:n2w:n2w:::::::: cpe:2.3:a:n2w:n2w:4.4.0:::::::*
Vendors & Products		N2w N2w n2w
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 26 Mar 2026 14:00:00 +0000

Type	Values Removed	Values Added
Title		Remote Code Execution via Spoofing in N2W versions prior to 4.4.1
Weaknesses		CWE-200 CWE-285

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Title	Spoofing Vulnerability in N2W Allowing Remote Code Execution and Credential Theft
Weaknesses	CWE-287 CWE-306

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		N2ws N2ws n2w
Vendors & Products		N2ws N2ws n2w

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Title		Spoofing Vulnerability in N2W Allowing Remote Code Execution and Credential Theft
Weaknesses		CWE-287 CWE-306

Wed, 25 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In N2W before 4.3.2 and 4.4.x before 4.4.1, there is potential remote code execution and account credentials theft because of a spoofing vulnerability.
References		https://n2ws.com/blog/security-advisory-update https://n2ws.zendesk.com/hc/en-us/articles/29817965452701-Release-notes-for-N2W-V4-3-2-August-2025 https://www.n2ws.com

Subscriptions

N2w N2w

N2ws N2w

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-25T00:00:00.000Z

Updated: 2026-03-27T03:57:12.342Z

Reserved: 2025-09-19T00:00:00.000Z

Link: CVE-2025-59707

Vulnrichment

Updated: 2026-03-27T03:57:07.328Z

NVD

Status : Modified

Published: 2026-03-25T15:16:29.257

Modified: 2026-03-27T05:16:02.363

Link: CVE-2025-59707

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T15:48:10Z

Weaknesses

CWE-290

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object