As first reported by Bleeping Computer, more than 800 N-able N-central servers remain vulnerable to a pair of critical flaws actively exploited in the wild, despite patches being available. The vulnerabilities—tracked as CVE-2025-8875 and CVE-2025-8876—allow attackers to inject commands through unsanitized user input and execute remote commands via insecure deserialization. N-central, a widely used platform by managed service providers (MSPs) and IT departments, provides centralized monitoring and management for networks and devices, making the flaws particularly dangerous.
N-able addressed the bugs in its 2025.3.1 release and confirmed that attackers are already abusing the flaws in limited on-premises environments. While the company has not observed exploitation in its hosted cloud environments, it has urged administrators to immediately update vulnerable systems, warning that detailed CVE information will be released in line with its three-week disclosure policy. Security nonprofit Shadowserver reports 880 N-central servers still exposed, mainly in the U.S., Canada, and the Netherlands, though total exposure across the internet is closer to 2,000 instances.
The urgency of the threat prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerabilities to its Known Exploited Vulnerabilities Catalog. Federal agencies, including the Departments of Homeland Security, Treasury, and Energy, were ordered to patch all affected systems within one week, by August 20, under Binding Operational Directive 22-01. With active exploitation confirmed, organizations that fail to apply patches risk compromise through attacks already circulating in the wild.
As N-able RMM is popular among medical and healthcare organizations, IT providers should verify that they’ve applied the proper mitigations immediately to avoid getting compromised.
