CVE-2025-59706
Published: 25 March 2026
Description
In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables remote code execution.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires implementation of input validation mechanisms at API request points to prevent remote code execution from specially crafted parameters.
Ensures timely flaw remediation by patching the improper API parameter validation vulnerability in affected N2W versions.
Enforces restrictions on API input parameters such as types, ranges, and formats to block malicious requests that bypass validation.
Security SummaryAI
CVE-2025-59706 is a critical vulnerability in N2W software versions prior to 4.3.2 and 4.4.0 prior to 4.4.1, stemming from improper validation of API request parameters that enables remote code execution. Assigned CWE-290, it received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) upon publication on March 25, 2026.
Remote attackers require only network access to the vulnerable N2W instance, with no authentication, privileges, or user interaction needed. By sending specially crafted API requests, they can achieve arbitrary code execution, resulting in high-impact compromise of confidentiality, integrity, and availability on the affected system.
Vendor advisories, including the security update on the N2W blog and release notes for version 4.3.2, recommend upgrading to N2W 4.3.2 or 4.4.1 to mitigate the issue, as detailed in the referenced documentation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote code execution via crafted API requests on a public-facing application, directly mapping to T1190: Exploit Public-Facing Application.