The cybersecurity agency CISA is warning organizations that use the N-central remote monitoring and management (RMM) product from N-able about two recently patched vulnerabilities being exploited in the wild.
N-central is designed to provide management, automation, and orchestration capabilities to MSPs and IT teams.
N-able informed customers on August 13 that a new version of the product, 2025.3, includes a “critical security fix” for two vulnerabilities tracked as CVE-2025-8875 and CVE-2025-8876.
“These vulnerabilities require authentication to exploit. However, there is a potential risk to the security of your N-central environment, if unpatched,” the vendor said.
CVE-2025-8875 has been described as an insecure deserialization issue, while CVE-2025-8876 is a command injection flaw. N-able said details will be made available after three weeks.
N-able’s advisory does not mention in-the-wild exploitation of the flaws, but CISA has added them to its Known Exploited Vulnerabilities (KEV) catalog. The agency has instructed government organizations to patch the security holes by August 20.
Considering that CISA added them to its KEV catalog on the same day they were disclosed, and considering that no technical information or PoC exploits appear to be publicly available, it’s possible that the flaws have been exploited as zero-days.
Industry professionals have warned that given N-central’s use by MSPs, threat actors could exploit the vulnerabilities to access MSP customers’ environments.
It’s worth noting that N-able was created in 2021 as a spin-off of SolarWinds, which in 2020 was targeted in a high-impact supply chain attack.
SecurityWeek has reached out to N-able for comment and will update this article if the company responds.
UPDATE. N-able has provided the following statement to SecurityWeek, confirming malicious exploitation:
Two critical vulnerabilities were identified within the N-able N-central solution—which require authentication to exploit—and could allow a threat actor to elevate their privileges and maliciously use N-central if not patched. We acted quickly to release a hotfix to address these vulnerabilities, which we have communicated to all N-central customers.
Our security investigations have shown evidence of this type of exploitation in a limited number of on-premises environments. We have not seen any evidence of exploitations within N-able hosted cloud environments. Our commitment to security and transparency will continue; we have reserved two CVEs (CVE-2025-8875, CVE-2025-8876) that relate to this hotfix which we will release in the coming weeks. We’ll update customers with any additional information that becomes available as our investigation continues into this matter.
Related: CISA Warns of SysAid Vulnerability Exploitation
Related: CitrixBleed 2 Flaw Poses Unacceptable Risk: CISA
Related: CISA Warns of Two Exploited TeleMessage Vulnerabilities
