CVE-2025-8876

Command Injection Vulnerability

CVSS 9.4 CRITICALEPSS 3.2%● KEVCWE-20

In short

N-able N-central fails to properly validate user input, allowing attackers to inject and execute arbitrary operating system commands on affected systems. This critical flaw can lead to complete system compromise.

Technical detail

An OS command injection vulnerability exists in N-central versions prior to 2025.3.1 due to improper input validation (CWE-20). An attacker can inject malicious commands through unsanitized user input, achieving remote code execution with system-level privileges. Exploitation requires network access to the affected N-central instance.

Summary generated and translated by AI from the official description.

Improper Input Validation vulnerability in N-able N-central allows OS Command Injection.This issue affects N-central: before 2025.3.1.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected products

N-able · N-central

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://status.n-able.com/2025/08/13/announcing-the-ga-of-n-central-2025-3-1/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-8876