N-able N-central, a popular remote monitoring and management (RMM) platform used by enterprises and managed service providers (MSPs), faces severe vulnerabilities that allow unauthenticated attackers to bypass authentication, write files, and disclose sensitive information via XML External Entity (XXE) injection.
These flaws, uncovered by Horizon3.ai researchers during analysis of earlier CISA Known Exploited Vulnerabilities (KEV) entries CVE-2025-8875 and CVE-2025-8876, chain together to compromise the entire system, exposing database credentials, SSH keys, and API tokens.
Approximately 3,000 instances remain exposed on the internet per Shodan scans, heightening the risk to unpatched deployments.
The vulnerabilities stem from legacy SOAP APIs, such as/dms/services/ServerMMS and /dms/services/ServerUI.
CVE-2025-9316 enables unauthenticated session ID generation via the sessionHello method, exploiting default built-in appliances with static, known values to produce valid appliance-scoped session IDs.
Researchers combined this with an un-CVE’d limited file write in applianceLogSubmit, which stores arbitrary base64-encoded content at /opt/nable/webapps/ROOT/applianceLog/network_check_log_.log.
CVE-2025-11700 then triggers XXE in importServiceTemplateFromFile on ServerUI, where an insecure SAXParser in XMLValidator.validateXML lacks protection against external entities (CWE-611), allowing parsing of attacker-controlled XML without session validation.
Attackers can restore the database and decrypt secrets using the provided keys, granting domain credentials, N-central API keys, integrated service tokens, and private SSH keys for lateral movement. A proof-of-concept exploit chaining these is public on GitHub.
Attack Chain and Detection
Attackers retrieve appliance session IDs via crafted sessionHello SOAP requests, write malicious XXE payloads to log files, then import them for exfiltration, often targeting backups for full compromise.
Indicators include dmsservice.log errors such as “Failed to import service template from file,” which expose leaked content, “Exception calling ServerUI:importServiceTemplateFromFile,” and dmsservice_soap.log noting “servicetemplate xml could not be imported” with DTD references.
N-able patched in 2025.4.0.9 by turning off vulnerable APIs by default and securing parsers.
 platform used by enterprises and managed service providers (MSPs), faces){kind=link}