N‑able Discloses Maximum-Severity N‑central RMM Vulnerability

‘How they handle it is more important than the exploitation itself. Other companies have handled these things poorly in the past. So far, I haven’t seen N-able handle one poorly, and I’m thankful for that,’ says VXIT CEO Paul Vedder.

Futuristic background with hexagon shell and hole with binary code and opened lock. Hacker attack and data breach. Big data with encrypted computer code. Safe your data. Cyber internet security and privacy concept. 3d illustration

N‑able disclosed two “critical” vulnerabilities Wednesday impacting its N‑central remote monitoring and management (RMM) platform, one of which has received the maximum possible severity rating.

The company said in an email to CRN that it has “no indication” that the critical-severity vulnerabilities in N‑central have been exploited in cyberattacks. Patches are now available, the Burlington, Mass.-based vendor said.

This is the third vulnerability N-able has reported in three months. On August 13, the Cybersecurity and Infrastructure Security Agency (CISA) reported two known vulnerabilities in N-able’s N-Central tool.

The maximum-severity flaw affecting N‑central (tracked as CVE-2025-11367) can enable remote execution of code, according to an advisory from N‑able. The vulnerability impacts the Windows version of the N-central Software Probe, a key component of the RMM platform that provides capabilities such as device discovery.

The vulnerability — which has received the maximum severity rating of 10.0 out of 10.0 — is fixed in the 2025.4 release of N-central, N‑able said.

[Related: 10 Major Cyberattacks And Data Breaches In 2025 (So Far)]

All four of the N-central vulnerabilities disclosed Wednesday are fixed with the 2025.4 patch, the company said.

The second newly disclosed critical vulnerability impacting N-central (tracked as CVE-2025-11366) can be exploited to bypass authentication, and has a severity rating of 9.4 out of 10.0, N‑able said.

The two additional N-central flaws include a high-severity vulnerability (tracked as CVE-2025-11700) and a medium-severity flaw (tracked as CVE-2025-9316), neither of which has seen exploitation by attackers, according to N‑able.

Partners said the company’s swift technical response is encouraging, but greater transparency could help partners better assess potential exposure and reassure customers.

“If they’ve already put out a new version of their software, they’ve done what they needed to do technically. But providing additional transparency: what it affected, how long it was there, would really help users who rely on N-central,” Dawn Sizer, CEO of Mechanicsburg, Pa.-based 3rd Element Consulting, told CRN.

She added that while N-able typically provides strong communication around common vulnerabilities and exposures (CVEs), partners often need more context to determine what an issue might look like within their specific environments.


“They do release information, but you don’t always get much beyond the CVE itself,” she said. “It would be helpful to know how it looks, what indicators to check for, and where partners might see evidence of compromise.”

Paul Vedder, co-founder and CEO of West Palm Beach, Fla.-based VXIT, said the company’s handling of the situation is more important than the flaw itself.

“I’m always concerned about everything, no platform is 100 percent immune,” Vedder told CRN. “But I’m glad they caught it before it was allegedly used in the wild. I kind of see N-able as an underdog in the RMM space, so I’m rooting for them.”

He emphasized that incident response and communication are the true differentiators in moments like this.

“How they handle it is more important than the exploitation itself,” he said. “Other companies have handled these things poorly in the past. So far, I haven’t seen N-able handle one poorly, and I’m thankful for that.”

N-Central user Brent Yax is also calling for clearer, faster communication to help partners stay informed and reassure customers.

“I do agree that internally they’re doing all the right things,” Yax, CEO of Troy, Mich.-based Awecomm, told CRN. “But it’s still hard to get information. There’s not a lot of chatter out there, and then suddenly there’s a mad rush for everyone to figure out what’s going on.

“They should focus on how to notify partners and make them feel secure, give them all the info before there’s a mad dash of customers asking questions and partners don’t know yet,” he added.

His concern comes as it’s the vendor’s third critical vulnerability since August, prompting questions about whether the recent discoveries reflect a broader security trend.

“We just want to hear from them about how they’re addressing this,” Yax said. “Are these discoveries a sign of stronger internal testing and preparedness? If so, tell us that, don’t make us guess why there seem to be more vulnerabilities lately.”

For others, the vulnerability underscores the unavoidable realities of cybersecurity risk in a connected ecosystem.

“Look, this is going to happen,” Michael Cervino, co-founder and CEO of Radnor, Pa.-based MSP Circle Square Consulting, told CRN. “As long as they did what they were supposed to do: follow their established protocols and remediate it, I have no issue. These things happen.”

And his trust in the vendor remains intact.

“It’s a good product,” he said. “Based on what I’m hearing and the initial indications, this isn’t going to impact how we do business with them.”

Vulnerabilities are inevitable, the four partners said, but how vendors respond defines the long-term trust equation.

“Transparency is key,” Sizer said. “Give us the details we need to check our systems and help our clients. That’s how you build confidence.”