cbcvebase.
CVE-2025-8876
published 2025-08-14

CVE-2025-8876: Improper Input Validation vulnerability in N-able N-central allows OS Command Injection.This issue affects N-central: before 2025.3.1.

PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-08-20
Exploited in the wild
EPSS
3.17%
86.4th percentile
Improper Input Validation vulnerability in N-able N-central allows OS Command Injection.This issue affects N-central: before 2025.3.1.

Affected

1 ranges
VendorProductVersion rangeFixed in
n-ablen-central< 2025.3.12025.3.1

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-8876 is an OS Command Injection via improper sanitization of user input in N-able N-central; focus detection on authenticated HTTP requests containing shell metacharacters or command sequences in user-controlled input fields on N-central web console endpoints
  • Exploitation is confirmed only against on-premises N-central deployments; N-able hosted cloud environments show no evidence of exploitation — scope detection efforts to on-premises instances
  • Approximately 2,000 N-central instances are internet-exposed; prioritize monitoring/blocking of inbound authenticated sessions to N-central servers from unexpected external IPs, especially from US, Canada, Netherlands, Australia, and Germany
  • CVE-2025-8876 is listed in CISA KEV as actively exploited in zero-day attacks; treat any N-central server running a version before 2025.3.1 as potentially compromised and investigate for signs of command execution
  • CVE-2025-8876 affects N-central versions before 2025.3.1; use version fingerprinting on exposed N-central instances to identify unpatched targets
  • ·No technical details (specific vulnerable endpoint, payload structure, or PoC) have been publicly released yet; N-able stated full CVE details will be published three weeks after the 2025.3.1 release, limiting precise detection rule creation at this time
  • ·No evidence of ransomware usage has been observed in conjunction with this CVE as of the time of reporting, but the attack surface (MSP/RMM platform) makes downstream impact to managed endpoints a significant concern
  • ·Shadowserver's count of 880 unpatched servers is based on summed unique IPs and may overcount; treat exposure figures as indicative rather than exact

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.4CRITICAL
cisa9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.