CVE-2025-59059
Published: 03 March 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-59059 is a remote code execution vulnerability in the NashornScriptEngineCreator component of Apache Ranger versions 2.7.0 and earlier. Published on March 3, 2026, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation across confidentiality, integrity, and availability.
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows arbitrary code execution on the affected Apache Ranger server, potentially leading to full system compromise.
Apache advisories recommend upgrading to Apache Ranger version 2.8.0, which addresses this issue. Relevant discussions are available in the Apache mailing list at https://lists.apache.org/thread/z47q86rho80390lf2qcmoc2josvs0gtv and the oss-security list at http://www.openwall.com/lists/oss-security/2026/03/02/5.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE-2025-59059 is an unauthenticated remote code execution vulnerability in a network-accessible Apache Ranger server component, directly mapping to exploitation of a public-facing application.