CVE-2025-32991

Critical

Published: 25 March 2026

Published

25 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0029 52.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

In N2WS Backup & Recovery before 4.4.0, a two-step attack against the RESTful API results in remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Applying vendor patches to N2WS Backup & Recovery 4.4.0 or later directly remediates the race condition vulnerability enabling RCE via the RESTful API.

SI-5 Security Alerts, Advisories, and Directives good match

prevent

Responding to vendor security advisories, such as the N2WS update for CVE-2025-32991, ensures timely flaw remediation to prevent exploitation.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning identifies the presence of CVE-2025-32991 in N2WS versions before 4.4.0, enabling proactive patching of the API race condition.

Security SummaryAI

CVE-2025-32991 is a remote code execution vulnerability in N2WS Backup & Recovery versions before 4.4.0. It stems from a two-step attack targeting the product's RESTful API and is linked to CWE-362 (race condition). The issue carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, high impact across confidentiality, integrity, and availability, and scope change upon exploitation. The vulnerability was published on 2026-03-25.

Unauthenticated attackers can exploit this over the network without user interaction, though the two-step process imposes high attack complexity. Successful exploitation grants remote code execution, enabling full control over the affected system with high impacts on data confidentiality, system integrity, and availability.

Vendor advisories, including the security update at https://n2ws.com/blog/security-advisory-update and details on https://www.n2ws.com, address mitigation. Upgrading to N2WS Backup & Recovery 4.4.0 or later resolves the vulnerability.

Details

CWE(s): CWE-362

Affected Products

n2w

backup\& recovery

≤ 4.3.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2025-32991 is a critical unauthenticated RCE vulnerability in a public-facing RESTful API of N2WS Backup & Recovery, directly enabling exploitation of public-facing applications for initial access and system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://n2ws.com/blog/security-advisory-update
Vendor Advisory · cve@mitre.org
https://www.n2ws.com
Product · cve@mitre.org