CVE-2025-59783

API endpoint for user synchronization in 2N Access Commander version 3.4.1 did not have a sufficient input validation allowing for OS command injection. This vulnerability can only be exploited after authenticating with administrator privileges.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.2n.com/en-GB/download/cve_2025_59783_acom_3_5_v1pdf	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:2n:access_commander:*:*:*:*:*:*:*:*

History

17 Jun 2026, 09:46

Type	Values Removed	Values Added
Summary		(es) El endpoint de la API para la sincronización de usuarios en 2N Access Commander versión 3.4.1 no tenía una validación de entrada suficiente, lo que permitía la inyección de comandos del sistema operativo. Esta vulnerabilidad solo puede ser explotada después de autenticarse con privilegios de administrador.

05 Mar 2026, 15:05

Type	Values Removed	Values Added
First Time		2n access Commander 2n
References	~~() https://www.2n.com/en-GB/download/cve_2025_59783_acom_3_5_v1pdf -~~	() https://www.2n.com/en-GB/download/cve_2025_59783_acom_3_5_v1pdf - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2
CPE		cpe:2.3:a:2n:access_commander::::::::

04 Mar 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-04 16:16

Updated : 2026-06-17 09:46

NVD link : CVE-2025-59783

Mitre link : CVE-2025-59783

CVE.ORG link : CVE-2025-59783

JSON object : View

Products Affected

2n

access_commander

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2025-59783", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-59783", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-03-04T16:14:33.825152Z"}}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "be69f613-e5f6-419b-800c-30351aa8933c", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "be69f613-e5f6-419b-800c-30351aa8933c", "affectedData": [{"vendor": "2N Telekomunikace a.s.", "modules": ["API"], "product": "2N Access Commander", "versions": [{"status": "affected", "version": "0", "lessThan": "3.4.2", "versionType": "public release"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}]}], "published": "2026-03-04T16:16:24.977", "references": [{"url": "https://www.2n.com/en-GB/download/cve_2025_59783_acom_3_5_v1pdf", "tags": ["Vendor Advisory"], "source": "be69f613-e5f6-419b-800c-30351aa8933c"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "be69f613-e5f6-419b-800c-30351aa8933c", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "API endpoint for user synchronization in 2N Access Commander version 3.4.1 did not have a sufficient input validation allowing for OS command injection. \nThis vulnerability can only be exploited after authenticating with administrator privileges."}, {"lang": "es", "value": "El endpoint de la API para la sincronizaci\u00f3n de usuarios en 2N Access Commander versi\u00f3n 3.4.1 no ten\u00eda una validaci\u00f3n de entrada suficiente, lo que permit\u00eda la inyecci\u00f3n de comandos del sistema operativo. Esta vulnerabilidad solo puede ser explotada despu\u00e9s de autenticarse con privilegios de administrador."}], "lastModified": "2026-06-17T09:46:42.597", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:2n:access_commander:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F348170B-06FB-4F85-9407-D156804DEFE6", "versionEndExcluding": "3.4.2"}], "operator": "OR"}]}], "sourceIdentifier": "be69f613-e5f6-419b-800c-30351aa8933c"}