CVE-2025-8875
published 2025-08-14CVE-2025-8875: Deserialization of Untrusted Data vulnerability in N-able N-central allows Local Execution of Code.This issue affects N-central: before 2025.3.1.
PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-08-20
Exploited in the wild
EPSS
1.58%
72.5th percentile
Deserialization of Untrusted Data vulnerability in N-able N-central allows Local Execution of Code.This issue affects N-central: before 2025.3.1.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| n-able | n-central | < 2025.3.1 | 2025.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploitation has been confirmed only in on-premises N-central environments; cloud-hosted N-able environments show no evidence of exploitation — scope detection efforts to on-prem instances ↗
- →Approximately 2,000 N-central instances are exposed online; as of reporting ~880 remained unpatched and vulnerable — use Shodan/Shadowserver data to identify exposed instances in your environment ↗
- →CISA added CVE-2025-8875 to the Known Exploited Vulnerabilities Catalog; treat any N-central instance running a version prior to 2025.3.1 as actively at risk ↗
- ·The fix is available only in N-central version 2025.3.1 and later; all versions before 2025.3.1 are vulnerable. Full technical CVE details are withheld by N-able for three weeks post-release per their security disclosure policy. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.4CRITICAL
cisa9.4CRITICAL
vendor_cisco7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rhqj-c64h-w74r: Deserialization of Untrusted Data vulnerability in N-able N-central allows Local Execution of Code
ghsa_unreviewed·2025-08-14
CVE-2025-8875 [CRITICAL] CWE-502 GHSA-rhqj-c64h-w74r: Deserialization of Untrusted Data vulnerability in N-able N-central allows Local Execution of Code
Deserialization of Untrusted Data vulnerability in N-able N-central allows Local Execution of Code.This issue affects N-central: before 2025.3.1.
VulnCheck
N-able N-Central Command Injection Vulnerability
vulncheck·2025·CVSS 9.4
CVE-2025-8876 [CRITICAL] N-able N-Central Command Injection Vulnerability
N-able N-Central Command Injection Vulnerability
N-able N-Central contains a command injection vulnerability via improper sanitization of user input.
Affected: N-able N-Central
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://x.com/rxerium/status/1957147780440264823; https://www.acn.gov.it/portale/w/n-able-rilevato-sfruttamento-in-rete-delle-cve-2025-8875-e-cve-2025-8876; https://hs-8813571.f.hubspotemail.net/hubfs/8813571/PERISCOPE_VULNINTEL_20250903.pdf; https://www.recordedfuture.com/blog/august-2025-cve-landscape; https://www.rapid7.c
VulnCheck
N-able N-Central Insecure Deserialization Vulnerability
vulncheck·2025·CVSS 9.4
CVE-2025-8875 [CRITICAL] N-able N-Central Insecure Deserialization Vulnerability
N-able N-Central Insecure Deserialization Vulnerability
N-able N-Central contains an insecure deserialization vulnerability that could lead to command execution.
Affected: N-able N-Central
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://x.com/rxerium/status/1957147780440264823; https://www.acn.gov.it/portale/w/n-able-rilevato-sfruttamento-in-rete-delle-cve-2025-8875-e-cve-2025-8876; https://hs-8813571.f.hubspotemail.net/hubfs/8813571/PERISCOPE_VULNINTEL_20250903.pdf; https://www.recordedfuture.com/blog/august-2025-cve-landscape; https://
Cisco
Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
vendor_cisco·2025-10-15·CVSS 7.5
CVE-2025-20350 [HIGH] CWE-121 Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
Multiple vulnerabilities in Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 running Cisco Session Initiation Protocol (SIP) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or conduct a cross-site scripting (XSS) attack against a user of the web UI.
Note: To exploit these vulnerabilities, the phone must be registered to Cisco Unified Communications Manager and have Web Access enabled. Web Access is disabled by default.
For more information about these vulnerabilities, see the Details section of this advisory.
Cisco has released software updates that address these vulnerabilitie
Cisco
Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
vendor_cisco·2025-09-03·CVSS 5.3
CVE-2025-20335 [MEDIUM] CWE-200 Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
Multiple vulnerabilities in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 with Cisco Session Initiation Protocol (SIP) Software could allow an unauthenticated, remote attacker to conduct arbitrary file write and information disclosure attacks on an affected device.
Note: To exploit these vulnerabilities, Web Access must be enabled on the phone. Web Access is disabled by default.
For more information about these vulnerabilities, see the Details section of this advisory.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
CISA
N-able N-Central Insecure Deserialization Vulnerability
cisa·2025-08-13·CVSS 9.4
CVE-2025-8875 [CRITICAL] N-able N-Central Insecure Deserialization Vulnerability
Vulnerability: N-able N-Central Insecure Deserialization Vulnerability
Affected: N-able N-Central
N-able N-Central contains an insecure deserialization vulnerability that could lead to command execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://status.n-able.com/2025/08/13/announcing-the-ga-of-n-central-2025-3-1/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-8875
Remediation Due Date: 2025-08-20
Cisco
Cisco Video Phone 8875 and Desk Phone 9800 Series Information Disclosure Vulnerability
vendor_cisco·2025-02-19·CVSS 4.4
CVE-2025-20158 [MEDIUM] CWE-200 Cisco Video Phone 8875 and Desk Phone 9800 Series Information Disclosure Vulnerability
Cisco Video Phone 8875 and Desk Phone 9800 Series Information Disclosure Vulnerability
A vulnerability in the debug shell of Cisco Video Phone 8875 and Cisco Desk Phone 9800 Series could allow an authenticated, local attacker to access sensitive information on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials with SSH access on the affected device. SSH access is disabled by default.
This vulnerability is due to insufficient validation of user-supplied input by the debug shell of an affected device. An attacker could exploit this vulnerability by sending a crafted SSH client command to the CLI. A successful exploit could allow the attacker to access sensitive information on the underlying operating system.
Cisco has released softwa
Cisco
Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
vendor_cisco·CVSS 3.1
CVE-2025-20336 Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
CVE-2025-20336: Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
Multiple vulnerabilities in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 with Cisco Session Initiation Protocol (SIP) Software could allow an unauthenticated, remote attacker to conduct arbitrary file write and information disclosure attacks on an affected device. Note: To exploit these vulnerabilities, Web Access must be enabled on the phone. Web Access is disabled by default. For more information about these vulnerabilities, see the
CVSS: 3.1
CWE: CWE-200, CWE-284, CWE-200, CWE-284
Bug IDs: CSCwn51677, CSCwn51679, CSCwn52909, CSCwn51677, CSCwn51679
Cisco
Cisco Video Phone 8875 and Desk Phone 9800 Series Information Disclosure Vulnerability
vendor_cisco·CVSS 3.1
CVE-2025-20158 Cisco Video Phone 8875 and Desk Phone 9800 Series Information Disclosure Vulnerability
CVE-2025-20158: Cisco Video Phone 8875 and Desk Phone 9800 Series Information Disclosure Vulnerability
A vulnerability in the debug shell of Cisco Video Phone 8875 and Cisco Desk Phone 9800 Series could allow an authenticated, local attacker to access sensitive information on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials with SSH access on the affected device. SSH access is disabled by default. This vulnerability is due to insufficient validation of user-supplied input by the debug shell of an affected device. An attacker could exploit this vulnerability by sending a crafted SSH client command to the CLI. A successful exploit could allow the attacker to access sensitive information on the underlying operating system. Cisco has re
Cisco
Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
vendor_cisco·CVSS 3.1
CVE-2025-20335 Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
CVE-2025-20335: Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
Multiple vulnerabilities in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 with Cisco Session Initiation Protocol (SIP) Software could allow an unauthenticated, remote attacker to conduct arbitrary file write and information disclosure attacks on an affected device. Note: To exploit these vulnerabilities, Web Access must be enabled on the phone. Web Access is disabled by default. For more information about these vulnerabilities, see the
CVSS: 3.1
CWE: CWE-200, CWE-284, CWE-200, CWE-284
Bug IDs: CSCwn51677, CSCwn51679, CSCwn52909, CSCwn51677, CSCwn51679
Cisco
Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
vendor_cisco·CVSS 3.1
CVE-2025-20351 Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
CVE-2025-20351: Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
Multiple vulnerabilities in Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 running Cisco Session Initiation Protocol (SIP) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or conduct a cross-site scripting (XSS) attack against a user of the web UI. Note: To exploit these vulnerabilities, the phone must be registered to Cisco Unified Communications Manager and have Web Access enabled. Web Access is disabled by default. For more information about these vulnerabilities, see the
CVSS: 3.1
CWE: CWE-121, CWE-79, CWE-121, CWE-79
Bug IDs: CSCwn51601, CSCwn51683, CSCwn58
Cisco
Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
vendor_cisco·CVSS 3.1
CVE-2025-20350 Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
CVE-2025-20350: Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
Multiple vulnerabilities in Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 running Cisco Session Initiation Protocol (SIP) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or conduct a cross-site scripting (XSS) attack against a user of the web UI. Note: To exploit these vulnerabilities, the phone must be registered to Cisco Unified Communications Manager and have Web Access enabled. Web Access is disabled by default. For more information about these vulnerabilities, see the
CVSS: 3.1
CWE: CWE-121, CWE-79, CWE-121, CWE-79
Bug IDs: CSCwn51601, CSCwn51683, CSCwn58
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Over 800 N-able servers left unpatched against critical flaws
blogs_bleepingcomputer·2025-08-18·CVSS 9.4
CVE-2025-8875 [CRITICAL] Over 800 N-able servers left unpatched against critical flaws
## Over 800 N-able servers left unpatched against critical flaws
## Sergiu Gatlan
Over 800 N-able N-central servers remain unpatched against a pair of critical security vulnerabilities tagged as actively exploited last week.
N-central is a popular platform used by many managed services providers (MSPs) and IT departments to monitor and manage networks and devices from a centralized web-based console.
Tracked as CVE-2025-8875 and CVE-2025-8876 , the two flaws can let authenticated attackers to inject commands due to improper sanitization of user input and execute commands on unpatched devices by exploiting an insecure deserialization weakness, respectively.
N-able has patched them in N-central 2025.3.1 and told BleepingComputer on Thursday that the security bugs are now under active ex
Bleepingcomputer
CISA warns of N-able N-central flaws exploited in zero-day attacks
blogs_bleepingcomputer·2025-08-14·CVSS 9.4
[CRITICAL] CISA warns of N-able N-central flaws exploited in zero-day attacks
## CISA warns of N-able N-central flaws exploited in zero-day attacks
## Sergiu Gatlan
CISA warned on Wednesday that attackers are actively exploiting two security vulnerabilities in N‑able's N-central remote monitoring and management (RMM) platform.
N-central is commonly used by managed services providers (MSPs) and IT departments to monitor, manage, and maintain client networks and devices from a centralized web-based console.
According to CISA, the two flaws can allow authenticated attackers to gain command execution via an insecure deserialization weakness ( CVE-2025-8875 ) and inject commands by exploiting an improper sanitization of user input vulnerability ( CVE-2025-8876 ).
N-able confirms CISA's report that the security bugs are now being exploited in the wild and has patche
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
August 2025 CVE Landscape
blogs_recorded_future·CVSS 8.8
[HIGH] August 2025 CVE Landscape
# August 2025 CVE Landscape
In August 2025, Recorded Future’s Insikt Group® identified eighteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the 22 identified in July.
However, the number of Very Critical vulnerabilities has remained the same (16) compared to July. These vulnerabilities have affected the following vendors: Trend Micro, WinRAR, N-able, Cisco, Apple, Citrix, FreePBX, Git, Microsoft, D-Link, and Fortinet.
August was dominated by Citrix and D-Link flaws, which represented six of the eighteen vulnerabilities. Threat actors actively exploited Citrix NetScaler ADC, NetScaler Gateway, and Citrix Session Recording products, as well as D-Link DNR-322L and DCS-2530L routers.
Recorded Future Insikt Group’s CVE Findings fro
Recorded Future
August 2025 CVE Landscape
blogs_recorded_future·CVSS 8.8
[HIGH] August 2025 CVE Landscape
## August 2025 CVE Landscape
In August 2025, Recorded Future’s Insikt Group ® identified eighteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the 22 identified in July.
However, the number of Very Critical vulnerabilities has remained the same (16) compared to July. These vulnerabilities have affected the following vendors: Trend Micro, WinRAR, N-able, Cisco, Apple, Citrix, FreePBX, Git, Microsoft, D-Link, and Fortinet.
August was dominated by Citrix and D-Link flaws, which represented six of the eighteen vulnerabilities. Threat actors actively exploited Citrix NetScaler ADC, NetScaler Gateway, and Citrix Session Recording products, as well as D-Link DNR-322L and DCS-2530L routers.
Recorded Future Insikt Group’s CVE Findings f
2025-08-14
Published
2025-08-13
Added to CISA KEV
Exploited in the wild