Vulnerabilities

CISA Warns of Attacks Exploiting N-able Vulnerabilities

CISA reported becoming aware of attacks exploiting CVE-2025-8875 and CVE-2025-8876 in N-able N-central on the day they were patched.

CISA KEV

The cybersecurity agency CISA is warning organizations that use the N-central remote monitoring and management (RMM) product from N-able about two recently patched vulnerabilities being exploited in the wild.

N-central is designed to provide management, automation, and orchestration capabilities to MSPs and IT teams.

N-able informed customers on August 13 that a new version of the product, 2025.3, includes a “critical security fix” for two vulnerabilities tracked as CVE-2025-8875 and CVE-2025-8876. 

“These vulnerabilities require authentication to exploit. However, there is a potential risk to the security of your N-central environment, if unpatched,” the vendor said.

CVE-2025-8875 has been described as an insecure deserialization issue, while CVE-2025-8876 is a command injection flaw. N-able said details will be made available after three weeks.

N-able’s advisory does not mention in-the-wild exploitation of the flaws, but CISA has added them to its Known Exploited Vulnerabilities (KEV) catalog. The agency has instructed government organizations to patch the security holes by August 20.

Advertisement. Scroll to continue reading.

Considering that CISA added them to its KEV catalog on the same day they were disclosed, and considering that no technical information or PoC exploits appear to be publicly available, it’s possible that the flaws have been exploited as zero-days. 

Industry professionals have warned that given N-central’s use by MSPs, threat actors could exploit the vulnerabilities to access MSP customers’ environments. 

It’s worth noting that N-able was created in 2021 as a spin-off of SolarWinds, which in 2020 was targeted in a high-impact supply chain attack

SecurityWeek has reached out to N-able for comment and will update this article if the company responds.

UPDATE. N-able has provided the following statement to SecurityWeek, confirming malicious exploitation:

Two critical vulnerabilities were identified within the N-able N-central solution—which require authentication to exploit—and could allow a threat actor to elevate their privileges and maliciously use N-central if not patched. We acted quickly to release a hotfix to address these vulnerabilities, which we have communicated to all N-central customers.

Our security investigations have shown evidence of this type of exploitation in a limited number of on-premises environments. We have not seen any evidence of exploitations within N-able hosted cloud environments. Our commitment to security and transparency will continue; we have reserved two CVEs (CVE-2025-8875, CVE-2025-8876) that relate to this hotfix which we will release in the coming weeks. We’ll update customers with any additional information that becomes available as our investigation continues into this matter.

Related: CISA Warns of SysAid Vulnerability Exploitation

Related: CitrixBleed 2 Flaw Poses Unacceptable Risk: CISA

Related: CISA Warns of Two Exploited TeleMessage Vulnerabilities

Related Content

Ransomware

The Microsoft Defender vulnerability CVE-2026-33825 was exploited in the wild as a zero-day before patches were released.

Vulnerabilities

The critical-severity defect allows unauthenticated attackers to take over the E-Business Suite’s Payments product.

Malware & Threats

The threat actor is focused on collecting credentials, SSH keys, cryptocurrency wallets, and development tooling.

ICS/OT

CISA has added the remote code execution flaw CVE-2026-12569 to its Known Exploited Vulnerabilities catalog.

ICS/OT

The exploited flaw, CVE-2025-67038, is one of the vulnerabilities disclosed in April as part of the BRIDGE:BREAK research project.

Vulnerabilities

CVE-2026-20245, the 7th Cisco SD-WAN vulnerability exploited in 2026, was used for months prior to its disclosure and patching.

Vulnerabilities

The flaws allow remote, unauthenticated attackers to make system changes, access underlying accounts, and inject commands.

Network Security

Cisco noted that a PoC had been available for CVE-2026-20230 when it announced patches in early June.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version