A critical zero-day vulnerability in N-able N-central, tracked as CVE-2025-8876, has been actively exploited in the wild, prompting urgent attention from security teams. This flaw, which carries a CVSS score of 8.8, allows for OS command injection due to improper input validation, affecting versions of N-central prior to 2025.3.1. The vulnerability was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on August 13, 2025, underscoring its significance and the need for immediate remediation.
The exploitation of CVE-2025-8876 began before its public disclosure, marking it as a zero-day with a Time to Exploit (TTE) of -1.6 days. This indicates that attackers had already leveraged the flaw in real-world scenarios before it was officially documented. The Exploit Prediction Scoring System (EPSS) rates this vulnerability at 0.090, suggesting a moderate likelihood of exploitation, which has already been realized.
N-able N-central is a widely used remote monitoring and management (RMM) tool, particularly popular among managed service providers (MSPs). The improper input validation flaw allows attackers to inject and execute arbitrary commands on the underlying operating system, potentially leading to unauthorized access and control over affected systems.
Organizations using N-central are urged to upgrade to version 2025.3.1 or later to mitigate this vulnerability. Given its inclusion in the KEV catalog and active exploitation status, security teams should prioritize patching and review their systems for any signs of compromise. Monitoring for unusual command execution patterns and reviewing access logs can help detect potential exploitation attempts.
CSURFACE