CVE-2025-59785 - Vulnerability Details - OpenCVE

Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption.
This vulnerability can only be exploited after authenticating with administrator privileges.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable yes

Technical Impact partial

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.2n.com/en-GB/download/cve_2025_59785_acom_3_5_v1pdf

History

Wed, 04 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 04 Mar 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption. This vulnerability can only be exploited after authenticating with administrator privileges.
Title		API - Insufficient Input Validation
Weaknesses		CWE-1286
References		https://www.2n.com/en-GB/download/cve_2025_59785_acom_3_5_v1pdf
Metrics		cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: 2N

Published: 2026-03-04T15:30:31.230Z

Updated: 2026-03-04T16:17:08.636Z

Reserved: 2025-09-19T17:22:49.648Z

Link: CVE-2025-59785

Vulnrichment

Updated: 2026-03-04T16:17:05.390Z

NVD

Status : Received

Published: 2026-03-04T16:16:25.307

Modified: 2026-03-04T16:16:25.307

Link: CVE-2025-59785

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-1286

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-59785", "assignerOrgId": "be69f613-e5f6-419b-800c-30351aa8933c", "state": "PUBLISHED", "assignerShortName": "2N", "dateReserved": "2025-09-19T17:22:49.648Z", "datePublished": "2026-03-04T15:30:31.230Z", "dateUpdated": "2026-03-04T16:17:08.636Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Linux"], "product": "2N Access Commander", "vendor": "2N Telekomunikace a.s.", "versions": [{"lessThan": "3.5", "status": "affected", "version": "0", "versionType": "Release"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption.<br>This vulnerability can only be exploited after authenticating with administrator privileges.<br><p></p>"}], "value": "Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption.\nThis vulnerability can only be exploited after authenticating with administrator privileges."}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 \u2014 Input Data Manipulation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1286", "description": "CWE-1286 \u2013 Improper Validation of Syntactic Correctness", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "be69f613-e5f6-419b-800c-30351aa8933c", "shortName": "2N", "dateUpdated": "2026-03-04T15:30:31.230Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.2n.com/en-GB/download/cve_2025_59785_acom_3_5_v1pdf"}], "source": {"discovery": "UNKNOWN"}, "title": "API - Insufficient Input Validation", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T16:17:02.568081Z", "id": "CVE-2025-59785", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:17:08.636Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-59785", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T16:17:02.568081Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:17:05.390Z"}}], "cna": {"title": "API - Insufficient Input Validation", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 \u2014 Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "2N Telekomunikace a.s.", "product": "2N Access Commander", "versions": [{"status": "affected", "version": "0", "lessThan": "3.5", "versionType": "Release"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.2n.com/en-GB/download/cve_2025_59785_acom_3_5_v1pdf", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption.\nThis vulnerability can only be exploited after authenticating with administrator privileges.", "supportingMedia": [{"type": "text/html", "value": "Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption.<br>This vulnerability can only be exploited after authenticating with administrator privileges.<br><p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1286", "description": "CWE-1286 \u2013 Improper Validation of Syntactic Correctness"}]}], "providerMetadata": {"orgId": "be69f613-e5f6-419b-800c-30351aa8933c", "shortName": "2N", "dateUpdated": "2026-03-04T15:30:31.230Z"}}}, "cveMetadata": {"cveId": "CVE-2025-59785", "state": "PUBLISHED", "dateUpdated": "2026-03-04T16:17:08.636Z", "dateReserved": "2025-09-19T17:22:49.648Z", "assignerOrgId": "be69f613-e5f6-419b-800c-30351aa8933c", "datePublished": "2026-03-04T15:30:31.230Z", "assignerShortName": "2N"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption.\nThis vulnerability can only be exploited after authenticating with administrator privileges."}], "id": "CVE-2025-59785", "lastModified": "2026-03-04T16:16:25.307", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "be69f613-e5f6-419b-800c-30351aa8933c", "type": "Secondary"}]}, "published": "2026-03-04T16:16:25.307", "references": [{"source": "be69f613-e5f6-419b-800c-30351aa8933c", "url": "https://www.2n.com/en-GB/download/cve_2025_59785_acom_3_5_v1pdf"}], "sourceIdentifier": "be69f613-e5f6-419b-800c-30351aa8933c", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1286"}], "source": "be69f613-e5f6-419b-800c-30351aa8933c", "type": "Secondary"}]}