Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CISA Warns of Attacks Exploiting N-able Vulnerabilities

CISA reported becoming aware of attacks exploiting CVE-2025-8875 and CVE-2025-8876 in N-able N-central on the day they were patched.

CISA KEV

The cybersecurity agency CISA is warning organizations that use the N-central remote monitoring and management (RMM) product from N-able about two recently patched vulnerabilities being exploited in the wild.

N-central is designed to provide management, automation, and orchestration capabilities to MSPs and IT teams.

N-able informed customers on August 13 that a new version of the product, 2025.3, includes a “critical security fix” for two vulnerabilities tracked as CVE-2025-8875 and CVE-2025-8876. 

“These vulnerabilities require authentication to exploit. However, there is a potential risk to the security of your N-central environment, if unpatched,” the vendor said.

CVE-2025-8875 has been described as an insecure deserialization issue, while CVE-2025-8876 is a command injection flaw. N-able said details will be made available after three weeks.

N-able’s advisory does not mention in-the-wild exploitation of the flaws, but CISA has added them to its Known Exploited Vulnerabilities (KEV) catalog. The agency has instructed government organizations to patch the security holes by August 20.

Advertisement. Scroll to continue reading.

Considering that CISA added them to its KEV catalog on the same day they were disclosed, and considering that no technical information or PoC exploits appear to be publicly available, it’s possible that the flaws have been exploited as zero-days. 

Industry professionals have warned that given N-central’s use by MSPs, threat actors could exploit the vulnerabilities to access MSP customers’ environments. 

It’s worth noting that N-able was created in 2021 as a spin-off of SolarWinds, which in 2020 was targeted in a high-impact supply chain attack

SecurityWeek has reached out to N-able for comment and will update this article if the company responds.

UPDATE. N-able has provided the following statement to SecurityWeek, confirming malicious exploitation:

Two critical vulnerabilities were identified within the N-able N-central solution—which require authentication to exploit—and could allow a threat actor to elevate their privileges and maliciously use N-central if not patched. We acted quickly to release a hotfix to address these vulnerabilities, which we have communicated to all N-central customers.

Our security investigations have shown evidence of this type of exploitation in a limited number of on-premises environments. We have not seen any evidence of exploitations within N-able hosted cloud environments. Our commitment to security and transparency will continue; we have reserved two CVEs (CVE-2025-8875, CVE-2025-8876) that relate to this hotfix which we will release in the coming weeks. We’ll update customers with any additional information that becomes available as our investigation continues into this matter.

Related: CISA Warns of SysAid Vulnerability Exploitation

Related: CitrixBleed 2 Flaw Poses Unacceptable Risk: CISA

Related: CISA Warns of Two Exploited TeleMessage Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.