Overview

• CISA placed CVE-2025-8875 and CVE-2025-8876 into its Known Exploited Vulnerabilities catalog after identifying signs of real-world attacks.
• The insecure deserialization and command-injection flaws in N-able N-Central enable remote command execution if left unpatched.
• N-able released fixes on August 13 in N-Central versions 2025.3.1 and 2024.6 HF2 and advised administrators to enable multi-factor authentication.
• Federal Civilian Executive Branch agencies have until August 20 to apply the mandatory updates or discontinue affected deployments.
• Information remains limited on how threat actors are exploiting the vulnerabilities and the overall impact on managed service providers’ environments.