Over 870 online instances of the N-able N-central management, automation, and orchestration tool used by managed service providers continue to be impacted by the insecure deserialization flaw, tracked as CVE-2025-8875, and command injection vulnerability, tracked as CVE-2025-8876, which have been exploited in limited attacks, SecurityWeek reports.
The U.S. had the most unpatched N-central instances, followed by Canada, the Netherlands, Australia, and the UK, findings from the Shadowserver Foundation revealed. Both security issues have already been addressed by N-able in N-central version 2025.3. "We have not seen any evidence of exploitations within N-able hosted cloud environments. We'll update customers with any additional information that becomes available as our investigation continues into this matter," said N-able. Attacks involving the N-able N-central bugs have prompted their inclusion in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog, with federal agencies ordered to remediate the issues by August 20.
