The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting N-able N-central to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
N-able N-central is a Remote Monitoring and Management (RMM) platform designed for Managed Service Providers (MSPs), allowing customers to efficiently manage and secure their clients' Windows, Apple, and Linux endpoints from a single, unified platform.
The vulnerabilities in question are listed below -
- CVE-2025-8875 (CVSS score: N/A) - An insecure deserialization vulnerability that could lead to command execution
- CVE-2025-8876 (CVSS score: N/A) - A command injection vulnerability via improper sanitization of user input
Both shortcomings have been addressed in N-central versions 2025.3.1 and 2024.6 HF2 released on August 13, 2025. N-able is also urging customers to make sure that multi-factor authentication (MFA) is enabled, particularly for admin accounts.
"These vulnerabilities require authentication to exploit," N-able said in an alert. "However, there is a potential risk to the security of your N-central environment, if unpatched. You must upgrade your on-premises N-central to 2025.3.1."
It's currently not known how the vulnerabilities are being exploited in real-world attacks, in what context, and what is the scale of such efforts. When reached for comment, N-able shared the following statement with The Hacker News -
Two critical vulnerabilities were identified within the N-able N-central solution—which require authentication to exploit – and could allow a threat actor to elevate their privileges and maliciously use N-central if not patched. We acted quickly to release a hotfix to address these vulnerabilities, which we have communicated to all N-central customers. Our security investigations have shown evidence of this type of exploitation in a limited number of on-premises environments. We have not seen any evidence of exploitations within N-able hosted cloud environments. Our commitment to security and transparency will continue; we have reserved two CVEs (CVE-2025-8875, CVE-2025-8876) that relate to this hotfix which we will release in the coming weeks. We’ll update customers with any additional information that becomes available as our investigation continues into this matter.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary fixes by August 20, 2025, to secure their networks.
The development comes a day after CISA placed two-year-old security flaws affecting Microsoft Internet Explorer and Office in the KEV catalog -
- CVE-2013-3893 (CVSS score: 8.8) - A memory corruption vulnerability in Microsoft Internet Explorer that allows for remote code execution
- CVE-2007-0671 (CVSS score: 8.8) - A remote code execution vulnerability in Microsoft Office Excel that can be exploited when a specially crafted Excel file is opened to achieve remote code execution
FCEB agencies have time till September 9, 2025, to update to the latest versions, or discontinue their use if the product has reached end-of-life (EoL) status, as is the case with Internet Explorer.
(The story was updated after publication to include a response from N-able.)
