N-able N-central Vulnerabilities (CVE-2025-9316, CVE-2025-11700)
Rapid Response Advisory
Horizon3.ai researchers identified two 0-days in N-able’s N-central appliance that, when combined, allow an unauthenticated attacker to access legacy APIs, write attacker-controlled files to disk, and exploit an XML External Entity parsing flaw to read sensitive configuration files from the appliance. These issues were discovered during analysis of the platform and responsibly disclosed to N-able in August.
The vulnerabilities are assigned CVE-2025-9316 and CVE-2025-11700. N-able remediated both issues in the 2025.4 release, including by removing access to the legacy SOAP EI API that enables the chain. Customers should update immediately or implement the network restrictions listed below.
Stop Guessing, Start Proving
What It Is and Why It Matters
Summary of the Weaknesses
- CVE-2025-9316 allows unauthenticated generation of appliance-level Session IDs, enabling attackers to remotely interact with sensitive APIs.
- CVE-2025-11700 exposes an XML External Entity (XXE) injection vulnerability within
importServiceFromFile, allowing attacker-controlled XML to be parsed. - When chained, these weaknesses allow an unauthenticated attacker to read sensitive files containing stored credentials, session tokens, and sensitive configuration information..
Why It Matters
N-central is a widely deployed Remote Monitoring & Management (RMM) platform used by MSPs, serving more than 500,000 SMBs and mid-market organizations. Compromise of a single N-central server could potentially enable attackers to push commands, malicious packages, or configuration changes to entire fleets of managed endpoints and servers, extending the blast radius.
An attacker could chain CVE-2025-9316 with CVE-2025-11700 to ultimately access credentials that give them the ability to fully compromise the appliance and integrated devices.
NodeZero Offensive Security Platform: Rapid Response Test
The NodeZero Rapid Response test safely evaluates exploitability via the full vulnerability chain.
- Validate with NodeZero Rapid Response test:
Run the test to confirm whether your N-central instance is currently exploitable. - Patch immediately:
Upgrade to N-central 2025.4, which remediates the latest disclosed vulnerabilities, the two mentioned here as well as CVE-2025-11367 (N-central windows software probe Remote Code Execution) and CVE-11366 (N-central Authentication bypass via path traversal). The fixes include removing access to the legacy SOAP EI API used in the exploit chain. - Re-run Rapid Response test after patching:
Confirm that the chained exploitation path is no longer viable.
Quick Actions
- Patch to N-central 2025.4 as soon as possible.
- If patching is delayed, restrict access to HTTP and HTTPS (tcp/80 and tcp/443) from trusted management networks only.
- Re-test after patching using the Rapid Response test to validate remediation.
Affected Versions and Patching
- Affected: N-central versions prior to 2025.4.
- Patched: N-central 2025.4. Verify that SOAP EI endpoints no longer respond after upgrading. With the patch, the N-central Mobile App, MDM, and External Data Feed services require migration to supported APIs.
- If you cannot update immediately, restrict access to tcp/80 and tcp/443.
Timeline
- August 2025: : Horizon3.ai researchers identified and disclosed issues.
- November 12-13, 2025: Vendor disclosed vulnerabilities and updated the 2025.4 release.
- November 13, 2025: Horizon3.ai releases Rapid Response test for the vulnerabilities.
