CVE-2025-8876
published 2025-08-14CVE-2025-8876: Improper Input Validation vulnerability in N-able N-central allows OS Command Injection.This issue affects N-central: before 2025.3.1.
PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-08-20
Exploited in the wild
EPSS
3.17%
86.4th percentile
Improper Input Validation vulnerability in N-able N-central allows OS Command Injection.This issue affects N-central: before 2025.3.1.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| n-able | n-central | < 2025.3.1 | 2025.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-8876 is an OS Command Injection via improper sanitization of user input in N-able N-central; focus detection on authenticated HTTP requests containing shell metacharacters or command sequences in user-controlled input fields on N-central web console endpoints ↗
- →Exploitation is confirmed only against on-premises N-central deployments; N-able hosted cloud environments show no evidence of exploitation — scope detection efforts to on-premises instances ↗
- →Approximately 2,000 N-central instances are internet-exposed; prioritize monitoring/blocking of inbound authenticated sessions to N-central servers from unexpected external IPs, especially from US, Canada, Netherlands, Australia, and Germany ↗
- →CVE-2025-8876 is listed in CISA KEV as actively exploited in zero-day attacks; treat any N-central server running a version before 2025.3.1 as potentially compromised and investigate for signs of command execution ↗
- →CVE-2025-8876 affects N-central versions before 2025.3.1; use version fingerprinting on exposed N-central instances to identify unpatched targets ↗
- ·No technical details (specific vulnerable endpoint, payload structure, or PoC) have been publicly released yet; N-able stated full CVE details will be published three weeks after the 2025.3.1 release, limiting precise detection rule creation at this time ↗
- ·No evidence of ransomware usage has been observed in conjunction with this CVE as of the time of reporting, but the attack surface (MSP/RMM platform) makes downstream impact to managed endpoints a significant concern ↗
- ·Shadowserver's count of 880 unpatched servers is based on summed unique IPs and may overcount; treat exposure figures as indicative rather than exact ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.4CRITICAL
cisa9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
N-able N-Central Command Injection Vulnerability
cisa·2025-08-13·CVSS 9.4
CVE-2025-8876 [CRITICAL] N-able N-Central Command Injection Vulnerability
Vulnerability: N-able N-Central Command Injection Vulnerability
Affected: N-able N-Central
N-able N-Central contains a command injection vulnerability via improper sanitization of user input.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://status.n-able.com/2025/08/13/announcing-the-ga-of-n-central-2025-3-1/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-8876
Remediation Due Date: 2025-08-20
GHSA
GHSA-mv58-xq9x-f6c5: Improper Input Validation vulnerability in N-able N-central allows OS Command Injection
ghsa_unreviewed·2025-08-14
CVE-2025-8876 [CRITICAL] CWE-20 GHSA-mv58-xq9x-f6c5: Improper Input Validation vulnerability in N-able N-central allows OS Command Injection
Improper Input Validation vulnerability in N-able N-central allows OS Command Injection.This issue affects N-central: before 2025.3.1.
VulnCheck
N-able N-Central Command Injection Vulnerability
vulncheck·2025·CVSS 9.4
CVE-2025-8876 [CRITICAL] N-able N-Central Command Injection Vulnerability
N-able N-Central Command Injection Vulnerability
N-able N-Central contains a command injection vulnerability via improper sanitization of user input.
Affected: N-able N-Central
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://x.com/rxerium/status/1957147780440264823; https://www.acn.gov.it/portale/w/n-able-rilevato-sfruttamento-in-rete-delle-cve-2025-8875-e-cve-2025-8876; https://hs-8813571.f.hubspotemail.net/hubfs/8813571/PERISCOPE_VULNINTEL_20250903.pdf; https://www.recordedfuture.com/blog/august-2025-cve-landscape; https://www.rapid7.c
VulnCheck
N-able N-Central Insecure Deserialization Vulnerability
vulncheck·2025·CVSS 9.4
CVE-2025-8875 [CRITICAL] N-able N-Central Insecure Deserialization Vulnerability
N-able N-Central Insecure Deserialization Vulnerability
N-able N-Central contains an insecure deserialization vulnerability that could lead to command execution.
Affected: N-able N-Central
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://x.com/rxerium/status/1957147780440264823; https://www.acn.gov.it/portale/w/n-able-rilevato-sfruttamento-in-rete-delle-cve-2025-8875-e-cve-2025-8876; https://hs-8813571.f.hubspotemail.net/hubfs/8813571/PERISCOPE_VULNINTEL_20250903.pdf; https://www.recordedfuture.com/blog/august-2025-cve-landscape; https://
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Over 800 N-able servers left unpatched against critical flaws
blogs_bleepingcomputer·2025-08-18·CVSS 9.4
CVE-2025-8875 [CRITICAL] Over 800 N-able servers left unpatched against critical flaws
## Over 800 N-able servers left unpatched against critical flaws
## Sergiu Gatlan
Over 800 N-able N-central servers remain unpatched against a pair of critical security vulnerabilities tagged as actively exploited last week.
N-central is a popular platform used by many managed services providers (MSPs) and IT departments to monitor and manage networks and devices from a centralized web-based console.
Tracked as CVE-2025-8875 and CVE-2025-8876 , the two flaws can let authenticated attackers to inject commands due to improper sanitization of user input and execute commands on unpatched devices by exploiting an insecure deserialization weakness, respectively.
N-able has patched them in N-central 2025.3.1 and told BleepingComputer on Thursday that the security bugs are now under active ex
Bleepingcomputer
CISA warns of N-able N-central flaws exploited in zero-day attacks
blogs_bleepingcomputer·2025-08-14·CVSS 9.4
[CRITICAL] CISA warns of N-able N-central flaws exploited in zero-day attacks
## CISA warns of N-able N-central flaws exploited in zero-day attacks
## Sergiu Gatlan
CISA warned on Wednesday that attackers are actively exploiting two security vulnerabilities in N‑able's N-central remote monitoring and management (RMM) platform.
N-central is commonly used by managed services providers (MSPs) and IT departments to monitor, manage, and maintain client networks and devices from a centralized web-based console.
According to CISA, the two flaws can allow authenticated attackers to gain command execution via an insecure deserialization weakness ( CVE-2025-8875 ) and inject commands by exploiting an improper sanitization of user input vulnerability ( CVE-2025-8876 ).
N-able confirms CISA's report that the security bugs are now being exploited in the wild and has patche
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
August 2025 CVE Landscape
blogs_recorded_future·CVSS 8.8
[HIGH] August 2025 CVE Landscape
# August 2025 CVE Landscape
In August 2025, Recorded Future’s Insikt Group® identified eighteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the 22 identified in July.
However, the number of Very Critical vulnerabilities has remained the same (16) compared to July. These vulnerabilities have affected the following vendors: Trend Micro, WinRAR, N-able, Cisco, Apple, Citrix, FreePBX, Git, Microsoft, D-Link, and Fortinet.
August was dominated by Citrix and D-Link flaws, which represented six of the eighteen vulnerabilities. Threat actors actively exploited Citrix NetScaler ADC, NetScaler Gateway, and Citrix Session Recording products, as well as D-Link DNR-322L and DCS-2530L routers.
Recorded Future Insikt Group’s CVE Findings fro
Recorded Future
August 2025 CVE Landscape
blogs_recorded_future·CVSS 8.8
[HIGH] August 2025 CVE Landscape
## August 2025 CVE Landscape
In August 2025, Recorded Future’s Insikt Group ® identified eighteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the 22 identified in July.
However, the number of Very Critical vulnerabilities has remained the same (16) compared to July. These vulnerabilities have affected the following vendors: Trend Micro, WinRAR, N-able, Cisco, Apple, Citrix, FreePBX, Git, Microsoft, D-Link, and Fortinet.
August was dominated by Citrix and D-Link flaws, which represented six of the eighteen vulnerabilities. Threat actors actively exploited Citrix NetScaler ADC, NetScaler Gateway, and Citrix Session Recording products, as well as D-Link DNR-322L and DCS-2530L routers.
Recorded Future Insikt Group’s CVE Findings f
2025-08-14
Published
2025-08-13
Added to CISA KEV
Exploited in the wild