CVE-2025-8875

What is N-able N-Central?

N-able N-Central is a Remote Monitoring and Management (RMM) platform for Managed Service Providers (MSPs). See CVE-2025-8876 for the full MSP supply-chain context. CVE-2025-8875 and CVE-2025-8876 are companion vulnerabilities patched in the same N-Central 2025.3.1 emergency release.

Overview

CVE-2025-8875 is an insecure deserialization vulnerability (CWE-502) in N-able N-Central that allows an authenticated attacker with low-level access to achieve code execution on the N-Central server through deserialization of a maliciously crafted serialized object. N-Central is a Java-based platform — Java deserialization vulnerabilities in Java applications typically exploit gadget chains in bundled libraries (such as Apache Commons Collections) to achieve arbitrary code execution. The CVSS attack vector is Local (AV:L) rather than Network for this CVE — reflecting that the deserialization trigger may require local access or an inter-process channel rather than direct HTTP exploitation.

Affected Versions

Technical Details

The insecure deserialization (CWE-502) occurs in N-Central's Java application stack. N-Central uses Java serialization for internal data handling. When attacker-controlled serialized data is submitted to a vulnerable deserialization endpoint (accessible to authenticated low-privilege users), Java's native deserialization mechanism instantiates objects from the serialized data stream. By crafting a serialized payload using a deserialization gadget chain (a sequence of Java class instantiations that produces code execution as a side effect), the attacker achieves arbitrary code execution in the N-Central server process context.

Attack chain in MSP context: Once code execution is achieved on the N-Central server, the attacker has access to the RMM's legitimate remote management capabilities — enabling lateral movement to all managed client endpoints. This mirrors the chain for companion CVE-2025-8876 (command injection) — both CVEs lead to the same high-impact outcome from different technical mechanisms.

Chaining scenario:

• CVE-2025-8875 (deserialization): initial RCE on N-Central server from low-privilege account
• CVE-2025-8876 (command injection): persistence and privilege escalation

Discovery

Not publicly attributed.

Exploitation Context

CISA added CVE-2025-8875 to the KEV catalog simultaneously with CVE-2025-8876 on August 13, 2025, with the same 7-day emergency deadline. Both were actively exploited. The dual-CVE simultaneous listing suggests attackers chained both vulnerabilities in the same campaign or that both were independently discovered and exploited.

Remediation

1. Upgrade N-Central to 2025.3.1 immediately. Both CVE-2025-8875 and CVE-2025-8876 are patched in this release. The CISA deadline was August 20, 2025.
2. Enable MFA for all N-Central accounts — prevents credential-based initial access that would allow low-privilege authentication.
3. Restrict N-Central access to known IP addresses; use VPN or IP allowlisting for all management access.
4. Audit serialization endpoints — if the N-Central vendor provides guidance on disabling or restricting serialization endpoints, apply it.
5. See CVE-2025-8876 for additional MSP-specific remediation guidance applicable to both CVEs.