CVE-2025-11700
📋 TL;DR
N-central versions before 2025.4 are vulnerable to XML External Entity (XXE) injection attacks, allowing attackers to read arbitrary files from the server. This affects organizations using N-central for remote monitoring and management.
💻 Affected Systems
- N-central
📦 What is this software?
N Central by N Able
⚠️ Risk & Real-World Impact
Worst Case
Complete server file system disclosure including sensitive configuration files, credentials, and system data leading to full compromise.
Likely Case
Partial information disclosure of accessible files, potentially exposing configuration data and sensitive information.
If Mitigated
Limited or no data exposure if proper XML parsing configurations are enforced.
🎯 Exploit Status
Requires ability to submit XML data to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.4
Vendor Advisory: https://me.n-able.com/s/security-advisory/aArVy0000000rabKAA
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download N-central 2025.4 from vendor portal. 3. Run installer with administrative privileges. 4. Restart all N-central services.
🔧 Temporary Workarounds
Disable XXE Processing
allConfigure XML parsers to disable external entity processing
Set XML parser properties: FEATURE_SECURE_PROCESSING=true, DISALLOW_DOCTYPE_DECL=true
🧯 If You Can't Patch
- Implement strict input validation for all XML inputs
- Deploy WAF with XXE protection rules
🔍 How to Verify
Check if Vulnerable:
Check N-central version in admin interface or via 'n-central --version' commandCheck Version:
n-central --versionVerify Fix Applied:
Confirm version is 2025.4 or higher and test XXE payloads are rejected📡 Detection & Monitoring
Log Indicators:
- XML parsing errors
- File access attempts via XML endpoints
- Unusual XML payload sizes
Network Indicators:
- XML requests with DOCTYPE declarations
- External entity references in XML
SIEM Query:
source="n-central" AND (xml OR xxe OR doctype)