CISA issued urgent warnings about two critical vulnerabilities (CVE-2025-8875 and CVE-2025-8876) in **N-able N-Central**, a widely used remote monitoring and management (RMM) software. The flaws—an **insecure deserialization** vulnerability enabling arbitrary command execution and a **command injection** vulnerability due to improper input sanitization—are actively exploited by threat actors. These vulnerabilities allow attackers to gain unauthorized access, execute malicious code, modify system configurations, or deploy payloads across enterprise networks. While no direct ransomware link is confirmed, the combined risks pose severe threats to data integrity, system control, and network security. CISA mandated patches or discontinuation of use by **August 20, 2025**, with N-able releasing version **2025.3.1** to address the issues. Failure to remediate could lead to large-scale breaches, lateral movement within networks, and potential operational disruptions for organizations relying on N-Central for IT management.
Source: https://cybersecuritynews.com/cisa-warns-of-n-able-n-central-vulnerabilities/
TPRM report: https://www.rankiteo.com/company/solarwindsmsp
"id": "sol310081425",
"linkid": "solarwindsmsp",
"type": "Vulnerability",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Organizations using N-able '
'N-Central (exact number '
'unspecified)',
'industry': 'IT Management / Remote Monitoring and '
'Management (RMM)',
'location': 'Ottawa, Canada (HQ)',
'name': 'N-able Technologies',
'type': 'Software Vendor'},
{'industry': 'IT Services',
'location': 'Global',
'type': 'Managed Service Providers (MSPs)'},
{'industry': 'Multiple (any using N-Central for IT '
'management)',
'location': 'Global',
'type': 'Enterprises'}],
'attack_vector': ['Network',
'User-Controlled Input (Deserialization)',
'Improper Input Sanitization (Command Injection)'],
'customer_advisories': ['Organizations using N-Central should assume they are '
'at risk if unpatched',
'MSPs must notify clients of potential exposure via '
'vulnerable RMM tools'],
'date_publicly_disclosed': '2025-08-13',
'description': 'CISA has issued urgent warnings regarding two critical '
'security vulnerabilities in N-able N-Central remote '
'monitoring and management (RMM) software that threat actors '
'are actively exploiting. The vulnerabilities, CVE-2025-8875 '
'(insecure deserialization) and CVE-2025-8876 (command '
'injection), pose significant risks to organizations using '
'this widely-deployed IT management platform. Both flaws allow '
'for remote code execution, unauthorized access, and potential '
'system control by attackers. CISA has set a deadline of '
'August 20, 2025, for mandatory fixes, with N-able releasing '
'version 2025.3.1 to address these issues.',
'impact': {'brand_reputation_impact': ['Reputational damage for N-able due to '
'critical vulnerabilities',
'Potential loss of trust in N-Central '
'among MSPs and enterprises'],
'operational_impact': ['Potential loss of control over managed IT '
'systems',
'Risk of lateral movement within enterprise '
'networks',
'Possible deployment of malicious payloads '
'(e.g., ransomware)'],
'systems_affected': ['N-able N-Central RMM deployments (versions '
'prior to 2025.3.1)',
'Managed systems connected to vulnerable '
'N-Central instances']},
'initial_access_broker': {'entry_point': ['Exploiting CVE-2025-8875 '
'(deserialization) or CVE-2025-8876 '
'(command injection) in N-Central',
'Potential phishing or credential '
'theft to access N-Central '
'interfaces'],
'high_value_targets': ['Managed Service Providers '
'(MSPs)',
'Enterprise IT environments '
'using N-Central']},
'investigation_status': 'Ongoing (active exploitation confirmed; full scope '
'of attacks unknown)',
'lessons_learned': ['Critical importance of patching RMM software promptly '
'due to high-value target status for attackers',
'Deserialization and command injection vulnerabilities in '
'IT management tools can enable broad network compromise',
'Proactive monitoring for CISA KEV catalog updates is '
'essential for timely remediation'],
'post_incident_analysis': {'corrective_actions': ['N-able released patched '
'version (2025.3.1) with '
'secure deserialization and '
'input validation',
'CISA enforced mandatory '
'remediation timeline '
'(August 20, 2025)'],
'root_causes': ['Insecure deserialization in '
'N-Central’s object handling',
'Insufficient input sanitization '
'in command processing',
'Lack of validation for '
'user-controlled serialized data']},
'recommendations': ['Immediately update N-able N-Central to version 2025.3.1 '
'or later',
'Discontinue use of N-Central if patches cannot be '
'applied',
'Implement network segmentation to limit lateral movement '
'risks',
'Enhance input validation and logging for RMM tools',
'Monitor for unusual activity in managed systems (e.g., '
'unexpected commands, new user accounts)',
'Review and harden deserialization processes in custom '
'applications'],
'references': [{'source': 'CISA Known Exploited Vulnerabilities Catalog',
'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog'},
{'source': 'N-able Security Advisory'},
{'source': 'CISA Binding Operational Directive 22-01',
'url': 'https://www.cisa.gov/resources-tools/services/bod-22-01'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA Binding '
'Operational Directive '
'(BOD) 22-01 '
'compliance required']},
'response': {'communication_strategy': ['CISA advisory issued (added to Known '
'Exploited Vulnerabilities catalog on '
'2025-08-13)',
'Urgent notification to organizations '
'using N-Central'],
'containment_measures': ['Apply N-able patch (version 2025.3.1) '
'immediately',
'Discontinue use of N-Central if '
'patches are unavailable'],
'enhanced_monitoring': ['Monitor for signs of exploitation '
'(e.g., unauthorized commands, lateral '
'movement)'],
'remediation_measures': ['Follow CISA’s Binding Operational '
'Directive (BOD) 22-01 for cloud '
'services',
'Update all affected N-Central '
'deployments by August 20, 2025']},
'stakeholder_advisories': ['CISA urges immediate action for all N-Central '
'users',
'N-able recommends patching or discontinuing use'],
'title': 'Critical Vulnerabilities in N-able N-Central RMM Software Actively '
'Exploited (CVE-2025-8875 & CVE-2025-8876)',
'type': ['Vulnerability Exploitation',
'Remote Code Execution (RCE)',
'Unauthorized Access',
'Command Injection',
'Insecure Deserialization'],
'vulnerability_exploited': [{'cve_id': 'CVE-2025-8875',
'description': 'Allows arbitrary command '
'execution via improper handling '
'of serialized objects. Attackers '
'can manipulate object states to '
'bypass security controls and '
'gain persistent access.',
'severity': 'Critical',
'type': 'Insecure Deserialization'},
{'cve_id': 'CVE-2025-8876',
'description': 'Stems from improper sanitization '
'of user input in N-Central’s UI, '
'enabling execution of arbitrary '
'system commands, file access, or '
'malware installation.',
'severity': 'Critical',
'type': 'Command Injection'}]}