Skip to main content

N Central CVE-2025-11700

HIGH
Improper Restriction of XML External Entity Reference (CWE-611)
2025-11-12 a5532a13-c4dd-4202-bef1-e0b8f2f8d12b
Information Disclosure XXE N Central
8.4
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 19:21 vuln.today
CVE Published
Nov 12, 2025 - 16:15 nvd
HIGH 8.4

DescriptionNVD

N-central versions < 2025.4 are vulnerable to multiple XML External Entities injection leading to information disclosure

AnalysisAI

N-able N-central remote monitoring and management platform versions before 2025.4 contain multiple XML External Entity injection vulnerabilities. Attackers can exploit these to read sensitive files from the RMM server, including configuration files containing credentials for all managed endpoints.

Technical ContextAI

N-central's XML processing endpoints fail to disable external entity resolution. An attacker can inject XXE payloads that read local files from the N-central server. As an RMM platform, the server stores credentials, API keys, and configuration data for all managed devices and endpoints in the customer base.

RemediationAI

Update to N-central 2025.4 or later. Disable XML external entity processing. Rotate all managed endpoint credentials. Review RMM audit logs for unauthorized access. Implement network segmentation for RMM infrastructure.

Share

CVE-2025-11700 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy