cognitive cybersecurity intelligence

News and Analysis

Search

1000+ Exposed N-able N-central RMM Servers Unpatched for 0-Day Vulnerabilities

1000+ Exposed N-able N-central RMM Servers Unpatched for 0-Day Vulnerabilities

Over 1,000 exposed and unpatched N-able N-central Remote Monitoring and Management (RMM) servers are vulnerable to two newly disclosed zero-day vulnerabilities – CVE-2025-8875 and CVE-2025-8876. 

As of August 15, 2025, exactly 1,077 unique IPs have been identified as running outdated N-central versions, presenting a significant risk to managed service providers (MSPs) and their clients. 

These vulnerabilities are now tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, underlining their severity.

Key Takeaways
1. 1,077 unpatched N-able N-central RMM servers exposed to CVE-2025-8875 & CVE-2025-8876 zero-days.
2. RCE vulnerabilities allow attackers to compromise MSP environments.
3. Immediate upgrade required.

The Shadowserver Foundation scan data reveals that unpatched servers are concentrated in the United States (440 IPs), Canada (112 IPs), the Netherlands (110 IPs), and the United Kingdom (98 IPs), with additional exposed instances found in Australia and South Africa. 

Top affected countries

N-able N-central Vulnerabilities

Both vulnerabilities affect HTTP-accessible N-central deployments and remain exploitable until administrators apply the newly released version 2025.3.1 security patch.

CVE-2025-8875 and CVE-2025-8876 are classified as authentication-required RCE (Remote Code Execution) vulnerabilities. 

While authentication limits initial attack vectors, threat actors who obtain credentials—through phishing or prior compromises—can exploit these flaws to execute arbitrary commands, escalate privileges, and potentially pivot within MSP-managed environments.

N-able’s recommended upgrade path is critical: “You must upgrade your on-premises N-central to 2025.3.1. 

Details of the CVEs will be published three weeks after the release as per our security practices.” 

The update introduces vital audit logging improvements for SSH and scheduled tasks (such as “SSH Login”, “Scheduled Task Edited”, “Script Deleted”) and supports Syslog export for enhanced compliance monitoring.

Administrators can configure the new audit logging using:

Alongside these security upgrades, N-central’s Device Management API has improved automation. MSPs can now onboard endpoints in bulk via POST /api/device and retrieve application details using:

These enhancements empower defenders to audit user activity and accelerate device onboarding, but require timely remediation. 

Any instances receiving Shadowserver alerts should be immediately reviewed for compromise and patched using N-able’s official update.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post 1000+ Exposed N-able N-central RMM Servers Unpatched for 0-Day Vulnerabilities appeared first on Cyber Security News.

Source: cybersecuritynews.com –

Subscribe to newsletter

Subscribe to HEAL Security Dispatch for the latest healthcare cybersecurity news and analysis.

More Posts