Full Report
N-Central is N-able's remote managing and monitoring solution. There was two vulnerabilities in the software. While reviewing the software, they found two more. This reports on all four of them. CVE-2025-8875 was an insecure deserialization bug. ObjectInputStream is used to create an object from raw bytes. Using user controlled data, this could be used to create arbitrary objects. Although not explicitly stated, this commonly leads to RCE in Java-based products. CVE-2025-8876 was a simple command injection from input provided directly to Runtime.getRuntime().execute(). Both of these were on legacy APIs but required valid sessions. They found that authentication could be bypassed via some pre-configured authentication information for various appliances. So, many authenticated endpoints, besides the SOAP ones, could be triggered using this. This opened up much more attack surface for them to work with and a partial authentication bypass. While using grep for functions that use XML, they found a parser that wasn't configured with secure defaults. So, this led to an XXE issue. They used this vulnerability to retrieve arbitrary files on disk. In all likelihood, this would lead to a complete compromise of the system via extracting configuration, backup and database information with credentials. Overall, a great chain of vulnerabilities to go from unauthenticated to taking over the machine directly. Great work!
Analysis Summary
# Vulnerability: N-able N-central Multi-Step RCE and Information Disclosure Chain
## CVE Details
- **CVE ID:** CVE-2025-8875, CVE-2025-8876, CVE-2025-9316, CVE-2025-11700
- **CVSS Score:** Critical (Specific numerical scores vary by CVE; chain allows unauthenticated RCE)
- **CWE:**
- CWE-502 (Insecure Deserialization)
- CWE-78 (Command Injection)
- CWE-287 (Improper Authentication)
- CWE-611 (XXE Injection)
## Affected Systems
- **Products:** N-able N-central (Remote Monitoring and Management solution)
- **Versions:**
- Versions prior to 2025.3.0.14 (vulnerable to CVE-2025-8875 and CVE-2025-8876)
- All versions prior to 2025.4.0.9 (vulnerable to the full chain, including 0-day XXE and Auth Bypass)
- **Configurations:** Systems with legacy SOAP APIs enabled and accessible (default in many older deployments).
## Vulnerability Description
Security researchers identified a chain of four vulnerabilities that allow an unauthenticated attacker to take full control of an N-central instance:
1. **CVE-2025-9316 (Auth Bypass):** A flaw in how SessionIDs are generated for various appliances allows an attacker to bypass authentication and access legacy SOAP API endpoints.
2. **CVE-2025-8875 (Insecure Deserialization):** The `getObject` method in legacy license response classes uses `ObjectInputStream` on user-controlled bytes without validation, leading to Remote Code Execution (RCE).
3. **CVE-2025-8876 (Command Injection):** Input provided to the `activateMotherShipMonitoring` function was passed directly to a system execution utility without sanitization.
4. **CVE-2025-11700 (XXE Injection):** The XML parser used in `importServiceFromFile` was not configured with secure defaults, allowing attackers to read arbitrary files from the server, including configuration files containing database credentials and integration secrets.
## Exploitation
- **Status:** PoC developed by researchers; CVE-2025-8875/8876 are listed on CISA KEV (Known Exploited Vulnerabilities).
- **Complexity:** Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Total (Ability to read arbitrary files, database secrets, and domain credentials).
- **Integrity:** Total (Full system compromise and code execution).
- **Availability:** Total (Ability to modify or shut down management services).
## Remediation
### Patches
- **Primary Fix:** Update to **N-central version 2025.4.0.9** or later. This release disables the vulnerable legacy SOAP APIs by default.
- **Incremental Fix:** Version 2025.3.0.14 addressed the initial RCE bugs but did not fix the authentication bypass or XXE.
### Workarounds
- Disable or restrict access to the `/dms/services/` endpoints at the network perimeter.
- Ensure the N-central instance is not directly exposed to the internet if possible.
## Detection
### Indicators of Compromise
- **Filesystem Logs:**
- Check `dmsservice.log` for entries: "Failed to import service template from file" or "Exception calling ServerUI:importServiceTemplateFromFile" followed by system file contents (e.g., `/etc/passwd`).
- Check `dmsservice_soap.log` for "servicetemplate xml could not be imported" containing suspicious XML with external DTD/Entity references.
- **Network Traffic:** Monitor for unusual SOAP requests to the `/dms/services/ServerUI` endpoint, particularly those calling `ActivateServer` or `importServiceTemplateFromFile`.
## References
- **Vendor Advisory:** [https://me.n-able.com/s/security-advisory/aArVy0000000rdpKAA/cve20259316-ncentral-unauthenticated-sessionid-generation]
- **Vendor Advisory:** [https://me.n-able.com/s/security-advisory/aArVy0000000rabKAA/cve202511700-ncentral-importservicefromfile-xxe-injection]
- **Research Blog:** [https://horizon3.ai/attack-research/attack-blogs/n-able-n-central-from-n-days-to-0-days/]