Two critical N-able N-central vulnerabilities exploited

On August 13, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two new vulnerabilities affecting N-able’s N-central platform to its Known Exploited Vulnerabilities (KEV) catalog, signaling that they are already being leveraged in the wild. N-able reported that they have seen evidence of exploitation “in a limited number of on-premises environments” and have no evidence of exploitation within N-able-hosted cloud environments.

N-central is a core Remote Monitoring and Management (RMM) tool used by Managed Service Providers (MSPs) to oversee and maintain client systems across multiple operating systems.

The flaws, tracked as CVE-2025-8875 and CVE-2025-8876, were both assigned a CVSS score of 9.4, and require authentication to exploit. Both have the potential to enable lateral movement and privilege escalation.

• CVE-2025-8875 is an insecure deserialization vulnerability that could allow authenticated execution of malicious commands on affected systems.
• CVE-2025-8876 is a command injection flaw stemming from improper sanitization of user input.

N-able addressed both vulnerabilities in N-central versions 2025.3.1 and 2024.6 HF2.

The company has not disclosed technical details or proof-of-concept exploits, citing a three-week embargo period to allow customers time to remediate. CISA’s directive mandates Federal Civilian Executive Branch (FCEB) agencies to apply fixes by August 20.

Shodan searches show that over 2000 N-central instances are exposed online, primarily in the U.S., Australia, and Germany.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

Organizations running on-premises versions of N-central should prioritize upgrading to version 2025.3.1 or applying hotfix 2024.6 HF2 as soon as possible. For cloud-hosted environments, MSPs should confirm with N-able that their instances have already been updated.

Beyond patching, enabling multi-factor authentication (MFA) for all accounts with elevated privileges is strongly recommended. While the vulnerabilities require authentication, MFA can significantly reduce the risk of unauthorized access through stolen or brute-forced credentials. MSPs should also conduct thorough log reviews to identify any unusual activity that could indicate exploitation attempts.

To further reduce risk, MSPs should isolate their N-central infrastructure from broader client networks. Implementing strict access controls, network segmentation, and advanced detection tools can help contain potential breaches and provide early warning of malicious activity. As attackers increasingly target RMM platforms for their strategic value, securing these systems should be a priority for MSPs and their downstream clients, particularly given the platform’s privileged access to customer infrastructure.