N-able
Products
6- 12 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
17| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-47132 | Cri | 0.64 | 9.8 | 0.01 | Feb 8, 2024 | An issue discovered in N-able N-central before 2023.6 and earlier allows attackers to gain escalated privileges via API calls. | ||
| CVE-2024-5322 | Cri | 0.59 | 9.1 | 0.00 | Jul 1, 2024 | The N-central server is vulnerable to session rebinding of already authenticated users when using Entra SSO, which can lead to authentication bypass. This vulnerability is present in all Entra-supported deployments of N-central prior to 2024.3. | ||
| CVE-2024-28200 | Cri | 0.59 | 9.1 | 0.02 | Jul 1, 2024 | The N-central server is vulnerable to an authentication bypass of the user interface. This vulnerability is present in all deployments of N-central prior to 2024.2. This vulnerability was discovered through internal N-central source code review and N-able has not observed any… | ||
| CVE-2025-9316 | Med | 0.54 | — | 0.37 | Nov 12, 2025 | N-central < 2025.4 can generate sessionIDs for unauthenticated users This issue affects N-central: before 2025.4. | ||
| CVE-2023-47131 | Hig | 0.49 | 7.5 | 0.01 | Feb 8, 2024 | The N-able PassPortal extension before 3.29.2 for Chrome inserts sensitive information into a log file. | ||
| CVE-2023-27470 | Hig | 0.46 | 7.0 | 0.01 | Sep 11, 2023 | BASupSrvcUpdater.exe in N-able Take Control Agent through 7.0.41.1141 before 7.0.43 has a TOCTOU Race Condition via a pseudo-symlink at %PROGRAMDATA%\GetSupportService_N-Central\PushUpdates, leading to arbitrary file deletion. | ||
| CVE-2023-30297 | Hig | 0.46 | 7.0 | 0.00 | Aug 4, 2023 | An issue found in N-able Technologies N-central Server before 2023.4 allows a local attacker to execute arbitrary code via the monitoring function of the server. | ||
| CVE-2024-8510 | Med | 0.34 | 5.3 | 0.00 | Mar 17, 2025 | N-central is vulnerable to a path traversal that allows unintended access to the Apache Tomcat WEB-INF directory. Customer data is not exposed. This vulnerability is present in all deployments of N-central prior to N-central 2024.6. | ||
| CVE-2023-37244 | Med | 0.34 | 5.3 | 0.00 | May 2, 2024 | The affected AutomationManager.AgentService.exe application contains a TOCTOU race condition vulnerability that allows standard users to create a pseudo-symlink at C:\ProgramData\N-Able Technologies\AutomationManager\Temp, which could be leveraged by an attacker to manipulate… | ||
| CVE-2024-5445 | Low | 0.25 | 3.8 | 0.00 | Aug 12, 2024 | Ecosystem Agent version 4 < 4.1.5.2597 and Ecosystem Agent version 5 < 5.1.4.2473 did not properly validate SSL/TLS certificates, which could allow a malicious actor to perform a Man-in-the-Middle and intercept traffic between the agent and N-able servers from a privileged… | ||
| CVE-2025-8876 | 0.13 | — | 0.03 | KEV | Aug 14, 2025 | Improper Input Validation vulnerability in N-able N-central allows OS Command Injection.This issue affects N-central: before 2025.3.1. | ||
| CVE-2025-8875 | 0.12 | — | 0.02 | KEV | Aug 14, 2025 | Deserialization of Untrusted Data vulnerability in N-able N-central allows Local Execution of Code.This issue affects N-central: before 2025.3.1. | ||
| CVE-2025-11700 | 0.07 | — | 0.32 | Nov 12, 2025 | N-central versions < 2025.4 are vulnerable to multiple XML External Entities injection leading to information disclosure | |||
| CVE-2025-11367 | 0.00 | — | 0.01 | Nov 12, 2025 | The N-central Software Probe < 2025.4 is vulnerable to Remote Code Execution via deserialization | |||
| CVE-2025-11366 | 0.00 | — | 0.01 | Nov 12, 2025 | N-central < 2025.4 is vulnerable to authentication bypass via path traversal | |||
| CVE-2025-10231 | 0.00 | — | 0.00 | Sep 10, 2025 | An Incorrect File Handling Permission bug exists on the N-central Windows Agent and Probe that, in the right circumstances, can allow a local low-level user to run commands with elevated permissions. | |||
| CVE-2025-7051 | 0.00 | — | 0.00 | Aug 21, 2025 | On N-central, it is possible for any authenticated user to read, write and modify syslog configuration across customers on an N-central server. This vulnerability is present in all deployments of N-central prior to 2025.2. |
- risk 0.64cvss 9.8epss 0.01
An issue discovered in N-able N-central before 2023.6 and earlier allows attackers to gain escalated privileges via API calls.
- risk 0.59cvss 9.1epss 0.00
The N-central server is vulnerable to session rebinding of already authenticated users when using Entra SSO, which can lead to authentication bypass. This vulnerability is present in all Entra-supported deployments of N-central prior to 2024.3.
- risk 0.59cvss 9.1epss 0.02
The N-central server is vulnerable to an authentication bypass of the user interface. This vulnerability is present in all deployments of N-central prior to 2024.2. This vulnerability was discovered through internal N-central source code review and N-able has not observed any…
- risk 0.54cvss —epss 0.37
N-central < 2025.4 can generate sessionIDs for unauthenticated users This issue affects N-central: before 2025.4.
- risk 0.49cvss 7.5epss 0.01
The N-able PassPortal extension before 3.29.2 for Chrome inserts sensitive information into a log file.
- risk 0.46cvss 7.0epss 0.01
BASupSrvcUpdater.exe in N-able Take Control Agent through 7.0.41.1141 before 7.0.43 has a TOCTOU Race Condition via a pseudo-symlink at %PROGRAMDATA%\GetSupportService_N-Central\PushUpdates, leading to arbitrary file deletion.
- risk 0.46cvss 7.0epss 0.00
An issue found in N-able Technologies N-central Server before 2023.4 allows a local attacker to execute arbitrary code via the monitoring function of the server.
- risk 0.34cvss 5.3epss 0.00
N-central is vulnerable to a path traversal that allows unintended access to the Apache Tomcat WEB-INF directory. Customer data is not exposed. This vulnerability is present in all deployments of N-central prior to N-central 2024.6.
- risk 0.34cvss 5.3epss 0.00
The affected AutomationManager.AgentService.exe application contains a TOCTOU race condition vulnerability that allows standard users to create a pseudo-symlink at C:\ProgramData\N-Able Technologies\AutomationManager\Temp, which could be leveraged by an attacker to manipulate…
- risk 0.25cvss 3.8epss 0.00
Ecosystem Agent version 4 < 4.1.5.2597 and Ecosystem Agent version 5 < 5.1.4.2473 did not properly validate SSL/TLS certificates, which could allow a malicious actor to perform a Man-in-the-Middle and intercept traffic between the agent and N-able servers from a privileged…
- risk 0.13cvss —epss 0.03
Improper Input Validation vulnerability in N-able N-central allows OS Command Injection.This issue affects N-central: before 2025.3.1.
- risk 0.12cvss —epss 0.02
Deserialization of Untrusted Data vulnerability in N-able N-central allows Local Execution of Code.This issue affects N-central: before 2025.3.1.
- CVE-2025-11700Nov 12, 2025risk 0.07cvss —epss 0.32
N-central versions < 2025.4 are vulnerable to multiple XML External Entities injection leading to information disclosure
- CVE-2025-11367Nov 12, 2025risk 0.00cvss —epss 0.01
The N-central Software Probe < 2025.4 is vulnerable to Remote Code Execution via deserialization
- CVE-2025-11366Nov 12, 2025risk 0.00cvss —epss 0.01
N-central < 2025.4 is vulnerable to authentication bypass via path traversal
- CVE-2025-10231Sep 10, 2025risk 0.00cvss —epss 0.00
An Incorrect File Handling Permission bug exists on the N-central Windows Agent and Probe that, in the right circumstances, can allow a local low-level user to run commands with elevated permissions.
- CVE-2025-7051Aug 21, 2025risk 0.00cvss —epss 0.00
On N-central, it is possible for any authenticated user to read, write and modify syslog configuration across customers on an N-central server. This vulnerability is present in all deployments of N-central prior to 2025.2.