CVE-2025-9316
N-central unauthenticated sessionID generation
In short
N-central versions before 2025.4 can create valid session IDs for users who haven't logged in. This allows attackers to impersonate users or bypass authentication checks.
Technical detail
N-central < 2025.4 generates valid sessionIDs without requiring prior authentication, enabling unauthenticated attackers to obtain legitimate session tokens. An attacker can leverage these tokens to access protected resources or perform actions as if they were an authenticated user, bypassing the application's access control mechanisms.
Summary generated and translated by AI from the official description.
N-central < 2025.4 can generate sessionIDs for unauthenticated users
This issue affects N-central: before 2025.4.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
N-able · N-centralWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →