Active Exploits Target MSP RMM Vulnerabilities (CVE-2025-8875, CVE-2025-8876)
▼ Summary
– Two vulnerabilities (CVE-2025-8875, CVE-2025-8876) in N-able’s N-central RMM solution are being exploited, prompting CISA to add them to its Known Exploited Vulnerabilities catalog.
– The flaws include an insecure deserialization issue (CVE-2025-8875) and a command injection vulnerability (CVE-2025-8876), requiring attacker authentication to exploit.
– N-able released patches in versions N-central v2025.3.1 and v2024.6 HF2, urging customers to update their on-premises installations immediately.
– N-able confirmed limited exploitation in on-premises environments but found no evidence of attacks in cloud-hosted instances.
– CISA could not confirm ransomware involvement but noted MSP-targeted attacks often aim to compromise customer systems.
Critical security flaws in N-central’s remote monitoring platform are now under active exploitation, putting managed service providers and their clients at risk. The vulnerabilities, tracked as CVE-2025-8875 and CVE-2025-8876, affect on-premises deployments of the widely used RMM solution developed by N-able. While public details remain limited, the US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active attacks by adding these flaws to its Known Exploited Vulnerabilities catalog.
N-central serves as a centralized management hub for MSPs, enabling remote oversight of diverse devices including workstations, servers, and networking equipment from major vendors. The platform’s widespread adoption makes these vulnerabilities particularly concerning, as successful exploitation could grant attackers access to multiple client networks through a single compromised system.
The first vulnerability (CVE-2025-8875) involves insecure deserialization, while the second (CVE-2025-8876) allows command injection. Both require valid authentication credentials, but once exploited, they enable privilege escalation and potential system takeover. N-able has released patches in versions 2025.3.1 and 2024.6 HF2, urging immediate updates for on-premises installations.
Though CISA hasn’t linked these exploits to specific ransomware campaigns, MSP-focused attacks remain a favored tactic for threat actors seeking broad network access. N-able’s investigation revealed limited exploitation in on-premises environments, with no evidence of cloud platform compromises. The company plans to disclose full technical details within weeks while continuing to monitor the situation.
Federal agencies received a one-week deadline to implement mitigations, highlighting the urgency. Organizations relying on N-central should prioritize patching and review access controls, particularly for administrative accounts. The absence of public exploit reports doesn’t indicate safety, silent attacks often precede larger breaches.
For ongoing updates on critical vulnerabilities and emerging threats, security teams should monitor official advisories and maintain robust patch management protocols. The interconnected nature of MSP ecosystems means delays in remediation could have cascading consequences across client networks.
(Source: HelpNet Security)
