Security Advisories
At 2N, we believe the best way to protect our customers is to be open about potential risks – and quick to fix them.
This page lists known fixed vulnerabilities affecting 2N products and services, along with any related open-source components. Each entry is identified by its CVE ID (Common Vulnerabilities and Exposures) registered at cve.org.
Before becoming a CVE Numbering Authority (CNA), we published our first CVEs under the Axis CNA account. Since gaining CNA status, we issue CVEs directly under the 2N name for easier tracking and increased transparency.
If you discover a vulnerability that impacts any 2N product and is not listed here, please report it using this form so we can investigate immediately.
2N CVEs
This registry lists vulnerabilities specific to 2N products and services. We strongly recommend updating any affected devices as soon as fixes are released.
CVE 2025
2N Access Commander
| CVE number | CVSS severity | Patched version | Security advisory / Vulnerability summary |
| CVE-2025-59783 | 8.8 (HIGH) | 3.4.2 | 2N Security Advisory: API endpoint for user synchronisation in 2N Access Commander version 3.4.1 did not have a sufficient input validation allowing for OS command injection. This vulnerability can only be exploited after authenticating with administrator privileges |
| CVE-2025-59784 | 6.9 (MEDIUM) | 3.4.2 | 2N Security Advisory: 2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior validation or sanitisation. This vulnerability can only be exploited after authenticating with administrator privileges. |
| CVE-2025-59785 | 5.3 (MEDIUM) |
3.5 | 2N Security Advisory: Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption.This vulnerability can only be exploited after authenticating with administrator privileges. |
| CVE-2025-59786 | 6 (MEDIUM) |
3.5 | 2N Security Advisory: 2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application. |
| CVE-2025-59787 |
5.3 (MEDIUM) |
3.5 | 2N Security Advisory: 2N Access Commander application version 3.4.2 and prior returns HTTP 500 Internal Server Error responses when receiving malformed or manipulated requests, indicating improper handling of invalid input and potential security or availability impacts. |
CVE 2024
2N OS
| CVE number |
CVSS severity | Patched version | Security advisory / Vulnerability summary |
| CVE-2024-13416 | 4.3 (MEDIUM) | 2N OS 2.46 | 2N Security Advisory: Using API in the 2N OS device, authorized user can enable logging, which discloses valid authentication tokens in system log. |
| CVE-2024-13417 | 4.6 (MEDIUM) | 2N OS 2.46 | 2N Security Advisory: Specifically crafted payloads sent to the RFID reader could cause DoS of RFID reader. After the device is restarted, it gets back to fully working state. |
2N Access Commander
| CVE number | CVSS severity | Patched version | Security advisory / Vulnerability summary |
| CVE-2024-47253 | 7.2 (HIGH) | 3.2 | 2N Security Advisory: In 2N Access Commander versions 3.1.1.2 and prior, a Path Traversal vulnerability could allow an attacker with administrative privileges to write files on the filesystem and potentially achieve arbitrary remote code execution. |
| CVE-2024-47254 | 6.3 (MEDIUM) | 3.2 | 2N Security Advisory: In 2N Access Commander versions 3.1.1.2 and prior, an Insufficient Verification of Data Authenticity vulnerability could allow an attacker to escalate their privileges and gain root access to the systém. |
| CVE-2024-47255 | 4.7 (MEDIUM) | 3.2 | 2N Security Advisory: In 2N Access Commander versions 3.1.1.2 and prior, a local attacker can escalate their privileges in the system which could allow for arbitrary code execution with root permissions. |
| CVE-2024-47256 | 6.0 (MEDIUM) | 3.3 | 2N Security Advisory: Successful exploitation of this vulnerability could allow an attacker (who needs to have Admin access privileges) to read hardcoded AES passphrase, which may be used for decryption of certain data within backup files of 2N Access Commander version 1.14 and older |
| CVE-2024-47258 | 8.1 (HIGH) | 3.3 | 2N Security Advisory: Since version 2.2 of 2N Access Commander (released in February 2022) it is possible to enforce TLS certificate validation and prevent MITM attack. See Solution and Mitigation section below for more details. TLS certificate validation is not activated in default setting and needs to be enabled by the administrator. |
Have you noticed a cybersecurity issue? Share your findings with us.
