N-able’s N-central remote management and monitoring (RMM) platform faces critical security risks following the discovery of multiple vulnerabilities.
According to Horizon3.ai, it allows unauthenticated attackers to bypass authentication, access legacy APIs, and exfiltrate sensitive files, including credentials and database backups.
The Vulnerability Chain
Earlier this year, N-able N-central was added to the CISA Known Exploited Vulnerabilities (KEV) catalog for CVE-2025-8875 and CVE-2025-8876.
These vulnerabilities enable authenticated attackers to achieve remote code execution via deserialization and command injection.
Horizon3.ai researchers found more serious flaws in the latest versions. They also uncovered new weaknesses and built a dangerous attack chain.
| Aspect | CVE-2025-9316 | CVE-2025-11700 |
| CVE ID | CVE-2025-9316 | CVE-2025-11700 |
| Vulnerability Name | Authentication Bypass via Weak Authentication Method | XML External Entity (XXE) Information Leak |
| CVSS Score | 9.1 | 8.2 |
| Severity | Critical | High |
An unauthenticated attacker can exploit CVE-2025-9316, a weak authentication bypass in the legacy SOAP API, to obtain valid session IDs.
This initial access opens doors to CVE-2025-11700, an XML External Entity (XXE) injection vulnerability that allows reading arbitrary files from the filesystem.
With approximately 3,000 N-central instances exposed on the internet according to Shodan, the attack surface is significant.
Horizon3.ai researchers demonstrated how attackers can chain these vulnerabilities to read sensitive configuration files, including /opt/nable/var/ncsai/etc/ncbackup.conf, which contains database backup credentials stored in cleartext.
Most critically, accessing the N-central database backup reveals all integration secrets: domain credentials, API keys, SSH private keys, and encrypted database entries.
Using cryptographic keys stored in the backup (masterPassword and keystore.bcfks), attackers can decrypt all stored secrets, leading to complete infrastructure compromise.
N-able addressed these vulnerabilities in version 2025.4.0.9, released on November 5, 2025, by restricting access to vulnerable legacy SOAP API endpoints.
Organizations should upgrade immediately and review logs for indicators of exploitation, including “Failed to import service template” entries in dmsservice.log.
The vulnerability chain demonstrates why legacy API endpoints pose persistent security risks in enterprise software, particularly for widely deployed RMM solutions that threat actors commonly target.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
