Users of remote monitoring and management (RMM) solution N-able N-central are urged to deploy patches for two critical vulnerabilities that are being actively exploited in the wild. Frequently a target for attackers, RMM software is used by managed service providers (MSPs) and enterprises to monitor workstations, servers, mobile devices, and networking equipment.
The two N-central vulnerabilities, identified as CVE-2025-8875 and CVE-2025-8876 were patched in N-central 2025.3.1 and 2024.6 HF2 released on Aug. 13. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaws to its Known Exploited Vulnerabilities (KEV) catalog at the same time, indicating in-the-wild exploitation as zero days.
“These vulnerabilities require authentication to exploit. However, there is a potential risk to the security of your N-central environment, if unpatched,” N-able said in its release notes, adding that on-premises deployments require patching.
According to statistics from the Shadowserver Foundation, an organization that tracks vulnerability statistics in collaboration with the UK government, there are still more than 780 vulnerable N-central servers exposed to the internet based on unique IP count, with the majority in North America (415) and Europe (239). Meanwhile the Shodan internet device search engine shows over 3,000 results for N-central.
The risk is particularly high because N-central is a product aimed at MSPs who then use it to manage and monitor the environments of thousands of small and midsize businesses. The product’s developer, N-able, is SolarWinds’ previous MSP business that was spun off into a separate company in 2021.
MSPs and RMMs software offer prime targets
While there aren’t many details about the two vulnerabilities, one is described as a command injection flaw via improper sanitization of user input (CVE-2025-8876) and the other as an insecure deserialization vulnerability that could lead to command execution (CVE-2025-8875).
Deserialization is the process by which a programming language converts data from a byte stream used for transmission back into a usable format. This data parsing operation has historically been a source of critical remote code execution vulnerabilities in many applications.
It’s not clear whether a successful exploit against N-central requires chaining the two vulnerabilities together. It’s also not clear what existing privileges are required to initiate the exploit. Despite requiring authentication to attack, both flaws are rated with a CVSS score of 9.4 out of 10, which indicates critical severity.
Over the past several years multiple ransomware groups have exploited vulnerabilities in RMM software to target MSPs because access to MSP tools or environments can provide them with access into hundreds or thousands of corporate networks downstream. In 2021, the REvil ransomware gang exploited a zero-day vulnerability in a remote management tool used by MSPs called Kaseya VSA to compromise organizations and MSPs.
Cyberespionage groups (APTs) have also targeted MSPs, with one example being Silk Typhoon, a Chinese group that specializes in supply-chain attacks. Microsoft warned in March that Silk Typhoon routinely targets IT services and infrastructure providers, remote monitoring and management (RMM) companies, managed service providers (MSPs), and their affiliates.
No Responses