CVE-2025-59786 - Vulnerability Details - OpenCVE

2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

2N Telekomunikace a.s.

2N Access Commander

unaffected

Version	Status	Constraints
`0`	affected	< 3.5

No data.

No data.

No data.

Project Subscriptions

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.2n.com/en-GB/download/cve_2025_59786_acom_3_5_v1pdf

History

Wed, 04 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 04 Mar 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.
Title		Cookies are not Invalidated upon Logout and Password Change
Weaknesses		CWE-613
References		https://www.2n.com/en-GB/download/cve_2025_59786_acom_3_5_v1pdf
Metrics		cvssV4_0 `{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: 2N

Published: 2026-03-04T15:30:35.148Z

Updated: 2026-03-04T16:03:17.708Z

Reserved: 2025-09-19T17:22:49.648Z

Link: CVE-2025-59786

Vulnrichment

Updated: 2026-03-04T16:03:11.804Z

NVD

Status : Awaiting Analysis

Published: 2026-03-04T16:16:25.453

Modified: 2026-03-04T18:08:05.730

Link: CVE-2025-59786

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-613

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-59786", "assignerOrgId": "be69f613-e5f6-419b-800c-30351aa8933c", "state": "PUBLISHED", "assignerShortName": "2N", "dateReserved": "2025-09-19T17:22:49.648Z", "datePublished": "2026-03-04T15:30:35.148Z", "dateUpdated": "2026-03-04T16:03:17.708Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Linux"], "product": "2N Access Commander", "vendor": "2N Telekomunikace a.s.", "versions": [{"lessThan": "3.5", "status": "affected", "version": "0", "versionType": "Release"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.<br>\n\n\n\n\n\n<p></p>"}], "value": "2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application."}], "impacts": [{"capecId": "CAPEC-31", "descriptions": [{"lang": "en", "value": "CAPEC-31 \u2013 Accessing/Intercepting/Modifying HTTP Cookies"}]}, {"capecId": "CAPEC-593", "descriptions": [{"lang": "en", "value": "CAPEC-593 Session Hijacking"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 6, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "description": "CWE-613 Insufficient Session Expiration", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "be69f613-e5f6-419b-800c-30351aa8933c", "shortName": "2N", "dateUpdated": "2026-03-04T15:30:35.148Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.2n.com/en-GB/download/cve_2025_59786_acom_3_5_v1pdf"}], "source": {"discovery": "UNKNOWN"}, "title": "Cookies are not Invalidated upon Logout and Password Change", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T16:00:12.782453Z", "id": "CVE-2025-59786", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:03:17.708Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-59786", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T16:00:12.782453Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:03:11.804Z"}}], "cna": {"title": "Cookies are not Invalidated upon Logout and Password Change", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-31", "descriptions": [{"lang": "en", "value": "CAPEC-31 \u2013 Accessing/Intercepting/Modifying HTTP Cookies"}]}, {"capecId": "CAPEC-593", "descriptions": [{"lang": "en", "value": "CAPEC-593 Session Hijacking"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "2N Telekomunikace a.s.", "product": "2N Access Commander", "versions": [{"status": "affected", "version": "0", "lessThan": "3.5", "versionType": "Release"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.2n.com/en-GB/download/cve_2025_59786_acom_3_5_v1pdf", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.", "supportingMedia": [{"type": "text/html", "value": "2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.<br>\n\n\n\n\n\n<p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613 Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "be69f613-e5f6-419b-800c-30351aa8933c", "shortName": "2N", "dateUpdated": "2026-03-04T15:30:35.148Z"}}}, "cveMetadata": {"cveId": "CVE-2025-59786", "state": "PUBLISHED", "dateUpdated": "2026-03-04T16:03:17.708Z", "dateReserved": "2025-09-19T17:22:49.648Z", "assignerOrgId": "be69f613-e5f6-419b-800c-30351aa8933c", "datePublished": "2026-03-04T15:30:35.148Z", "assignerShortName": "2N"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application."}], "id": "CVE-2025-59786", "lastModified": "2026-03-04T18:08:05.730", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "be69f613-e5f6-419b-800c-30351aa8933c", "type": "Secondary"}]}, "published": "2026-03-04T16:16:25.453", "references": [{"source": "be69f613-e5f6-419b-800c-30351aa8933c", "url": "https://www.2n.com/en-GB/download/cve_2025_59786_acom_3_5_v1pdf"}], "sourceIdentifier": "be69f613-e5f6-419b-800c-30351aa8933c", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "be69f613-e5f6-419b-800c-30351aa8933c", "type": "Secondary"}]}