What is CVE-2025-8875 and how does it work?

CVE-2025-8875 is an insecure deserialization vulnerability with a CVSS score of 9.4 that allows authenticated attackers to execute arbitrary commands on the N-central server. This flaw is caused by improper handling of untrusted data during object deserialization processes, enabling remote attackers to gain unauthorized control over system functions.

What is CVE-2025-8876 and what can attackers do with it?

CVE-2025-8876 is a command injection vulnerability with a CVSS score of 9.4 caused by improper sanitization of user input. This flaw allows authenticated attackers to inject and execute arbitrary operating system commands on the underlying server infrastructure.

Are these N-central vulnerabilities being actively exploited?

Yes, N-able's security investigations have confirmed evidence of active exploitation in a limited number of on-premises environments. However, the company reports no evidence of successful attacks against N-able's hosted cloud environments.

Are N-able's cloud environments affected by these vulnerabilities?

While the vulnerabilities exist in the software, N-able reports no evidence of successful attacks against their hosted cloud environments. The confirmed exploitation has been limited to on-premises environments.

When were the patches for N-central vulnerabilities released?

The patches for both vulnerabilities were released on August 13, 2025, in N-central version 2025.3.1 and hotfix version 2024.6 HF2.

What makes these N-central vulnerabilities particularly concerning for MSPs?

These vulnerabilities are particularly concerning because N-central is used by MSPs to manage multiple client networks and devices. Successful exploitation could potentially provide attackers with access to numerous client environments through a single compromised RMM platform, creating a significant supply chain security risk.

Advisory

Critical N-able N-central vulnerabilities actively exploited

Q: What is N-able N-central?

N-able N-central is a remote monitoring and management (RMM) platform that enables MSPs and IT departments to monitor, manage, and maintain client networks and devices from a centralized web-based console. The platform supports management of Windows, Apple, and Linux endpoints, servers, mobile devices, and network equipment from manufacturers including Dell, HP, Cisco, and Fortinet.

Q: Do these N-central vulnerabilities require authentication to exploit?

Yes, both vulnerabilities require authentication to exploit, so attackers must have previously obtained credentials to access the N-central platform before they can leverage these flaws.

published: Aug. 14, 2025

Take action: If you're using N-able N-central, make sure it's isolated from the internet and accessible only from trusted networks. Then update to version 2025.3.1 or hotfix 2024.6 HF2. If you can't isolate from the internet, this is a priority patch, since attackers will eventually phish someone and gain credentials.

Learn More

CISA is warning about two critical security vulnerabilities affecting N-able's N-central remote monitoring and management (RMM) platform that are currently being exploited by attackers.

N-able N-central is an RMM platform that enables MSPs and IT departments to monitor, manage, and maintain client networks and devices from a centralized web-based console. The platform supports management of Windows, Apple, and Linux endpoints, servers, mobile devices, and network equipment from various manufacturers including Dell, HP, Cisco, and Fortinet.

According to Shodan searches, approximately 2,000 N-central instances are currently exposed to the internet, with the majority originating from the United States, Australia, and Germany.

Vulnerabilities summary:

CVE-2025-8875 (CVSS score 9.4) - An insecure deserialization vulnerability that allows authenticated attackers to execute arbitrary commands on the N-central server. This flaw is caused by improper handling of untrusted data during object deserialization processes, enabling remote attackers to gain unauthorized control over system functions.
CVE-2025-8876 (CVSS score 9.4) - A command injection vulnerability caused by improper sanitization of user input. This flaw allows authenticated attackers to inject and execute arbitrary operating system commands on the underlying server infrastructure.

Both vulnerabilities require authentication to exploit, so attackers must have previously obtained credentials to access the N-central platform. Successful exploitation could lead to complete compromise of N-central instances, potentially allowing attackers to steal sensitive data, deploy malware on the managed systems networks, or gain persistent access.

N-able's security investigations have confirmed evidence of active exploitation in a limited number of on-premises environments. The company reports no evidence of successful attacks against N-able's hosted cloud environments.

N-able has patched both vulnerabilities through the release of N-central version 2025.3.1 and the hotfix version 2024.6 HF2, both available on August 13, 2025.

Organizations using N-central are strongly urged to upgrade to the patched versions. Those unable to update immediately should implement access controls to restrict Web interface visibility from the internet and ensure multi-factor authentication is enabled.

Critical N-able N-central vulnerabilities actively exploited

Read More
Another critical RCE flaw reported in n8n automation …
Critical vulnerabilities discovered in Citrix NetScaler ADC and …
Broadcom confirms active exploitation of two vulnerabilities in …
Debian and Ubuntu release patch to fix OpenSSH …
Cisco fixes critical flaw in affecting Ultra-Reliable Wireless …