Two critical security vulnerabilities (CVE-2025-8875, CVE-2025-8876) recently discovered in N-able’s N-central platform are being actively exploited, posing severe risks to Managed Service Providers (MSPs) and IT departments worldwide. N-central is a Remote Monitoring and Management (RMM) platform that enables MSPs and IT teams to centrally monitor and manage networks and endpoints. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog and ordered federal agencies to apply emergency patches.
This article reviews the vulnerabilities and current threat landscape while demonstrating how Criminal IP can be used to detect and respond to N-central Zero-Day exploitation attempts.
CVE-2025-8875, CVE-2025-8876 Overview
- CVE-2025-8875 (Command Injection)
- A vulnerability where insufficient user input validation allows an authenticated attacker to inject system commands
- CVE-2025-8876 (Insecure Deserialization)
- A vulnerability that exploits insecure deserialization logic to allow remote attackers to execute arbitrary commands
Both vulnerabilities can lead to privilege escalation and remote command execution, putting not only N-central servers at risk but also downstream MSP customer assets.
N-able released a security patch in version 2025.3.1, and immediate action is required for any environments that have not yet updated.
N-central Zero-Day Threat Status: 2,140 Servers Exposed Worldwide
Using Criminal IP’s Asset Search, you can quickly identify assets with the same conditions targeted by attackers and analyze specific N-central server details to determine what security risks are present. The following are key security issues identified using the Asset Search feature.
Criminal IP Search Query: title: “N-central Login Redirect”
According to the Criminal IP Asset Search results, a total of 2,140 N-central assets were detected using the title: “N-central Login Redirect” query.
Of these 2,000+ detected assets, many servers have not been upgraded to version 2025.3.1, meaning attackers can still scan and directly target vulnerable management servers.
In addition to the basic search results, Criminal IP provides detailed Element Analysis information, segmented by country and region. You can check these results by clicking the ‘More’ button in the bottom right corner.
N-central servers were detected in more than 20 countries worldwide. The United States had the most servers with a total of 873, followed by Germany (230), Australia (193), the Netherlands (183), and the United Kingdom (169), which make up the top five. This indicates N-central is widely used in MSP and enterprise environments in these specific regions, and it suggests a high risk of being heavily exploited by zero-day attacks like CVE-2025-8875 and CVE-2025-8876 if patching is delayed.
Detection and Analysis of N-central Zero-Day Assets (CVE-2025-8875, CVE-2025-8876) by Criminal IP
Beyond the simple search results, you can get a much more specific understanding of the existing risks by opening a detailed report on a particular N-central server.
In the IP address report from Criminal IP, one N-central server was found to be using a self-signed SSL certificate. This indicates a weak authentication system that attackers could exploit.
The server also exposed 10 open ports and 5 vulnerabilities, providing multiple entry points for attackers.
The server’s TCP 443 (HTTPS) port was publicly exposed with the title “N-central Login Redirect.” This means attackers could directly access the login page and attempt authentication bypass or exploit vulnerabilities. In particular, when combined with vulnerabilities like CVE-2025-8875 (Command Injection) or CVE-2025-8876 (Insecure Deserialization), this exposure could ultimately lead to full remote-control takeover.
Criminal IP also provides information on the existence of public PoC (Proof-of-Concept) code related to the vulnerability. This code can easily be turned into a tool for attacks.
Therefore, it is important not only to check for open ports but also to verify whether public proof-of-concept (PoC) exploit code has already been released.
N-central Zero-Day Response Plan
- Immediate Patch Application
- Update N-central to version 2025.3.1 or higher
- Strengthening security settings based on vendor recommendations
- Exposure Asset Inspection
- Use Criminal IP to search for title: “N-central Login Redirect”
- Filter by SSL certificate and version to identify unpatched servers.
- Enhancing Security Monitoring
- Reviewing server logs and detecting abnormal command execution.
- Check for unauthorized account creation
- Prepare Alternatives
- If patching is not possible, consider blocking internet exposure or suspending the service.
Conclusion
N-able N-central is a critical management platform used by numerous MSPs and IT departments. The exploitation of these vulnerabilities could lead to large-scale supply chain attacks that extend beyond a single server compromise.
Administrators must be aware that patching delays can expand the risk to all MSP clients and should take immediate security measures. It is essential to use attack surface management (ASM) and threat intelligence tools like Criminal IP to identify exposed assets and continuously monitor their security posture.
Source: Criminal IP (https://www.criminalip.io)
Related article: https://www.criminalip.io/knowledge-hub/blog/26791