As of August 15, 2025, cybersecurity researchers have identified 1,077 unique IP addresses running outdated versions of N-able N-central Remote Monitoring and Management (RMM) servers. These servers are vulnerable to two newly disclosed zero-day vulnerabilities, CVE-2025-8875 and CVE-2025-8876, posing significant risks to managed service providers (MSPs) and their clients.
Geographical Distribution of Vulnerable Servers
The Shadowserver Foundation’s scan data reveals that the majority of these unpatched servers are located in:
– United States: 440 IPs
– Canada: 112 IPs
– Netherlands: 110 IPs
– United Kingdom: 98 IPs
Additional exposed instances have been found in Australia and South Africa.
Details of the Vulnerabilities
Both CVE-2025-8875 and CVE-2025-8876 are classified as authentication-required Remote Code Execution (RCE) vulnerabilities affecting HTTP-accessible N-central deployments. While authentication requirements may limit initial attack vectors, threat actors who obtain credentials—through phishing or prior compromises—can exploit these flaws to execute arbitrary commands, escalate privileges, and potentially pivot within MSP-managed environments.
Recommended Actions
N-able has released version 2025.3.1 to address these vulnerabilities. Administrators are urged to upgrade their on-premises N-central installations immediately. The update introduces vital audit logging improvements for SSH and scheduled tasks (such as SSH Login, Scheduled Task Edited, Script Deleted) and supports Syslog export for enhanced compliance monitoring.
Broader Implications
The exploitation of legitimate RMM tools by cybercriminals is a growing concern. Threat actors have been observed leveraging these tools to infiltrate networks, maintain access, and facilitate lateral movement. Common RMM applications being exploited include AnyDesk, TeamViewer, ScreenConnect, Quick Assist, and Splashtop. These tools, typically used by IT administrators for system maintenance and support, provide attackers with powerful capabilities that often evade traditional security measures due to their trusted status within enterprise environments.
Detection and Mitigation Strategies
Security teams can detect suspicious RMM deployments by identifying executions from abnormal locations in the file system. Implementing strict application control policies and monitoring network connections from RMM tools can help identify potentially malicious command and control traffic. Organizations are advised to conduct regular audits of their RMM tools and ensure they are updated to the latest versions to mitigate potential threats.
Conclusion
The exposure of over 1,000 N-able N-central RMM servers to critical zero-day vulnerabilities underscores the importance of timely software updates and vigilant monitoring of remote access tools. MSPs and their clients must prioritize the patching of these vulnerabilities to safeguard their networks against potential exploits.
