More than 800 N-able N-central servers remain unpatched against two critical vulnerabilities that security researchers say were actively exploited last week. N-able has issued a patch in N-central 2025.3.1 and urged admins to upgrade immediately, noting that exploitation has been observed in on-premises environments while “no evidence has been found in N-able’s hosted cloud services.” The company also signaled that details of the two CVEs will be published in three weeks as part of its security practices and encouraged administrators to secure their deployments promptly via an advisory.
The two flaws are tracked as CVE-2025-8875 and CVE-2025-8876. CVE-2025-8875 enables authenticated attackers to inject commands due to improper input sanitization, while CVE-2025-8876 allows remote command execution through an insecure deserialization weakness on unpatched devices. N-able released the fix in N-central 2025.3.1 and cautioned that details of the vulnerabilities will be published three weeks after the release in line with its security practices.
Shadowserver Foundation, a nonprofit cyber threat intelligence group, reported that about 880 N-central servers remain vulnerable to exploitation of these flaws, with most located in the United States, Canada, and the Netherlands. Shadowserver cautioned that these figures are indicative, as they sum unique IP counts and may count a given IP multiple times. The group also noted that roughly 2,000 N-central instances are exposed online according to Shodan searches.
In response to the risk, U.S. federal agencies have moved to mitigate the vulnerabilities under ongoing guidance. The Cybersecurity and Infrastructure Security Agency (CISA) added the flaws to its Known Exploited Vulnerabilities Catalog, signaling exploitation in zero-day attacks and urging network defenders to apply mitigations per vendor instructions or discontinue use if mitigations are unavailable. Federal Civilian Executive Branch (FCEB) agencies – including the Department of Homeland Security, the Department of the Treasury, and the Department of Energy – were ordered to patch within one week, by August 20, under Binding Operational Directive 22-01. CISA also encouraged non-government organizations to take action to secure their systems during ongoing exploitation.
On the vendor side, N-able stressed that the exploitation has been observed only in on-premises deployments and not in its cloud-hosted environment. Admins are urged to upgrade to N-central 2025.3.1 and monitor for any signs of compromise. The company noted that further details on the CVEs will be provided three weeks after the release as part of its standard security practices.