CVE-2025-11367
📋 TL;DR
CVE-2025-11367 allows remote attackers to execute arbitrary code on systems running vulnerable versions of N-central Software Probe via insecure deserialization. This affects organizations using N-central Software Probe versions before 2025.4 for Windows monitoring and management.
💻 Affected Systems
- N-central Software Probe
📦 What is this software?
N Central by N Able
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to install malware, steal credentials, pivot to other systems, and maintain persistent access.
Likely Case
Attacker gains initial foothold on the system, installs ransomware or backdoors, and potentially moves laterally within the network.
If Mitigated
Attack is blocked at network perimeter or detected by security controls before successful exploitation.
🎯 Exploit Status
Deserialization vulnerabilities are commonly exploited and this has a high CVSS score, making weaponization likely even without public PoC.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.4 or later
Vendor Advisory: https://me.n-able.com/s/security-advisory/aArVy0000000rfRKAQ/cve202511367-ncentral-windows-software-probe-remote-code-execution
Restart Required: Yes
Instructions:
1. Download N-central Software Probe version 2025.4 or later from the N-able portal. 2. Install the update on all affected systems. 3. Restart the Software Probe service or reboot the system.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to Software Probe instances to only trusted management systems
Firewall Rules
windowsBlock inbound connections to Software Probe ports from untrusted networks
netsh advfirewall firewall add rule name="Block N-central Probe" dir=in action=block protocol=TCP localport=<probe_port> remoteip=any
🧯 If You Can't Patch
- Isolate affected systems in a separate network segment with strict access controls
- Implement application whitelisting to prevent execution of unauthorized binaries
🔍 How to Verify
Check if Vulnerable:
Check Software Probe version in N-central console or run 'wmic product get name,version' and look for N-central Software Probe versionCheck Version:
wmic product where "name like '%N-central Software Probe%'" get versionVerify Fix Applied:
Verify version is 2025.4 or higher in N-central console or via version check command📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from Software Probe service
- Deserialization errors in application logs
- Network connections from Software Probe to unexpected destinations
Network Indicators:
- Unusual traffic patterns to/from Software Probe ports
- Suspicious payloads in network traffic to probe service
SIEM Query:
source="*n-central*" AND (event_type="process_creation" OR event_type="deserialization_error")