cbcvebase.
CVE-2025-11700
published 2025-11-12

CVE-2025-11700: N-central versions < 2025.4 are vulnerable to multiple XML External Entities injection leading to information disclosure

PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
31.04%
98.0th percentile
N-central versions < 2025.4 are vulnerable to multiple XML External Entities injection leading to information disclosure

Affected

1 ranges
VendorProductVersion rangeFixed in
n-ablen-central< 2025.42025.4

Detection & IOCsextracted from sources · hover to see the quote

url/dms/services/ServerUI
url/dms/services/ServerMMS
commandns1:applianceLogSubmit
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER N-able N-central Authenticated importServiceFromFile XML External Entity Injection (CVE-2025-11700)"; flow:established,to_server; http.uri; content:"/dms/services/ServerMMS"; fast_pattern; http.request_body; content:"ns1:applianceLogSubmit"; content:"|3c 21|ENTITY|20|"; pcre:"/^\s*?(?:\x26\x23(?:x25|37)\x3b|\x25|[a-z]+)\x20[a-z]+\x20[A-Z]+\x20[\x22\x27][^\x22]*[\x22\x27]\x3e/R"; reference:url,horizon3.ai/attack-research/attack-blogs/n-able-n-central-from-n-days-to-0-days/; reference:cve,2025-11700; classtype:web-application-attack; sid:2065811; rev:1; metadata:affected_product N_Able, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_18, cve CVE_2025_11700, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|3c 21|ENTITY|20|
  • The XXE payload is base64-encoded and submitted as the log content field; look for base64-encoded XML DOCTYPE/ENTITY declarations in the body of requests to /dms/services/ServerMMS.
  • The Nuclei template confirms exploitation by checking for a DNS interaction via interactsh, indicating out-of-band XXE exfiltration; monitor for unexpected DNS lookups originating from N-Central servers.
  • The Metasploit module exploits CVE-2025-9316 (auth bypass) first via sessionHello SOAP to ServerMMS with various appliance IDs, then triggers XXE via importServiceTemplateFromFile; correlate unauthenticated sessionHello requests with subsequent XXE activity.
  • Snort/Suricata rule SID 2065811 targets TLS-decrypted traffic; deploy with SSLDecrypt/TLSDecrypt capability to detect this attack at the perimeter or internally.
  • Sensitive files targeted by the XXE read primitive include the PostgreSQL dump, encrypted keystore, and keystore master password — monitor file access to these paths on N-Central hosts.
  • ·The Snort rule requires TLS decryption (TLSDecrypt/SSLDecrypt) to be effective, as N-Central traffic is served over HTTPS (HTTP/2); without TLS inspection the rule will not fire.
  • ·Affected versions are strictly N-Central < 2025.4.0.9; instances already patched to 2025.4 or later are not vulnerable.
  • ·Full exploitation of CVE-2025-11700 (XXE) in the Metasploit module is chained with CVE-2025-9316 (unauthenticated session bypass); detections focused solely on authenticated XXE may miss unauthenticated exploitation paths.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.