N‑able Confirms ‘Limited’ Exploitation Of N‑central RMM Vulnerabilities

Patches are available for the two critical-severity flaws impacting on-premises N‑central environments, which have been exploited in recent attacks, N‑able said Thursday.

N‑able has seen exploitation of a “limited number” of N‑central customer environments in connection with two “critical” zero-day vulnerabilities, the company said in a statement Thursday.

The statement followed the disclosure Wednesday by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that a pair of vulnerabilities impacting N‑able’s N‑central remote monitoring and management (RMM) platform have been exploited in cyberattacks.

The flaws—tracked as CVE-2025-8875 and CVE-2025-8876—were added to CISA’s catalog of vulnerabilities known to have seen exploitation.

N-able disclosed Wednesday that its N-central 2025.3.1 update includes patches for the two vulnerabilities.

“Two critical vulnerabilities were identified within the N-able N-central solution—which require authentication to exploit—and could allow a threat actor to elevate their privileges and maliciously use N-central if not patched,” N-able said in a statement provided to CRN Thursday. “We acted quickly to release a hotfix to address these vulnerabilities, which we have communicated to all N-central customers. Our security investigations have shown evidence of this type of exploitation in a limited number of on-premises environments.”

N-able noted that it has seen no evidence so far of attacks exploiting N-able hosted cloud environments.

In its advisory about the N-central attacks, CISA warned that the vulnerabilities “pose significant risks to the federal enterprise” and ordered Federal Civilian Executive Branch agencies to implement patches to fix the issue by Aug. 20.

While the order only applies to federal agencies, CISA said it “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [such] vulnerabilities as part of their vulnerability management practice.”

CISA disclosed that CVE-2025-8875 is an insecure deserialization vulnerability that could be exploited for command execution, while CVE-2025-8876 is a command injection vulnerability exploited through “improper sanitization of user input.” The agency says it’s currently unknown whether either flaw has been exploited as part of a ransomware attack.