More than 870 internet-exposed N-able N-central instances are running versions affected by two exploited vulnerabilities, data from The Shadowserver Foundation shows.
The security defects, tracked as CVE-2025-8875 and CVE-2025-8876, are described as an insecure deserialization issue and a command injection bug, respectively.
The flaws were disclosed on August 13, when N-able announced that patches for them were included in version 2025.3 of its remote monitoring and management (RMM) product.
On the same day, the US cybersecurity agency CISA added both vulnerabilities to its KEV catalog, urging federal agencies to patch them by August 20.
N-able did not share technical details on the bugs, but confirmed to SecurityWeek that the issues had been exploited against a limited number of customers to elevate privileges and abuse vulnerable self-hosted N-central instances.
“We have not seen any evidence of exploitations within N-able hosted cloud environments. We’ll update customers with any additional information that becomes available as our investigation continues into this matter,” N-able said.
The vendor has not confirmed it, but the timing of the disclosure and CISA adding them to its KEV list suggests that the vulnerabilities may have been exploited as zero-days.
Shortly after the bugs were disclosed, The Shadowserver Foundation started tracking internet-exposed N-central instances affected by CVE-2025-8875 and CVE-2025-8876.
“We added version-based N-able N-central RMM CVE-2025-8875 & CVE-2025-8876 detection to our daily scans. 1077 IPs unpatched IPs seen on 2025-08-15,” Shadowserver said on Sunday.
The Shadowserver Foundation’s tracker shows that, as of August 17, more than 870 N-central instances were unpatched against the two vulnerabilities. Most of these deployments are in the US (367), with Canada (92), the Netherlands (84), Australia (74), and the UK (72) rounding up the top five.
A spin-off of SolarWinds, N-able was created in 2021. N-central is a management, automation, and orchestration tool used by MSPs and IT teams, and its successful compromise could allow hackers to access MSP customers’ environments.
Related: Russian Hackers Exploited WinRAR Zero-Day in Attacks on Europe, Canada
Related: SonicWall Says Recent Attacks Don’t Involve Zero-Day Vulnerability
Related: SAP Patches Critical S/4HANA Vulnerability
Related: Many Mobile Apps Fail Basic Security—Posing Serious Risks to Enterprises
