CVE-2025-11700

HIGH
2025-11-12 a5532a13-c4dd-4202-bef1-e0b8f2f8d12b
8.4
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 19:21 vuln.today
CVE Published
Nov 12, 2025 - 16:15 nvd
HIGH 8.4

Tags

XXE Information Disclosure N Central

Description

N-central versions < 2025.4 are vulnerable to multiple XML External Entities injection leading to information disclosure

Analysis

N-able N-central remote monitoring and management platform versions before 2025.4 contain multiple XML External Entity injection vulnerabilities. Attackers can exploit these to read sensitive files from the RMM server, including configuration files containing credentials for all managed endpoints.

Technical Context

N-central's XML processing endpoints fail to disable external entity resolution. An attacker can inject XXE payloads that read local files from the N-central server. As an RMM platform, the server stores credentials, API keys, and configuration data for all managed devices and endpoints in the customer base.

Affected Products

['N-able N-central < 2025.4']

Remediation

Update to N-central 2025.4 or later. Disable XML external entity processing. Rotate all managed endpoint credentials. Review RMM audit logs for unauthorized access. Implement network segmentation for RMM infrastructure.

Priority Score

93
Low Medium High Critical
KEV: 0
EPSS: +51.2
CVSS: +42
POC: 0

Share

CVE-2025-11700 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy