CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-11367

CVSS 10.0v4.0pub. 2025-11-12upd. 2025-11-14

The N-central Software Probe < 2025.4 is vulnerable to Remote Code Execution via deserialization

🤖 AI Analysis
How it works

The error classified as CWE-502 (Deserialization of Untrusted Data) involves the Software Probe component processing externally supplied serialized data without proper validation of its origin and content. An attacker requiring no authentication can deliver a crafted payload over the network, which is executed in the service process context during deserialization. The attack vector is network-based, requires no user interaction, and no elevated privileges, meaning full remote exploitation is possible.

Impact

An attacker can obtain remote code execution on the system running N-central Software Probe, and the high impact on confidentiality, integrity, and availability of both the local system and connected systems indicates the possibility of complete control takeover and potential lateral movement in the managed infrastructure.

Mitigation & patch

N-central Software Probe should be updated to version 2025.4 or later as soon as possible. Detailed instructions are available in the official security bulletin from the vendor at the address indicated in the references. Until the update is applied, consider restricting network access to ports used by Software Probe to trusted sources only.

Who is affected

N-Able N-Central Software Probe in versions earlier than 2025.4 (component running on Windows systems).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • N Able N Central

    APP
    N-Able
    < 2025.4
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2025-8875CRITICAL9.4⚠ KEVPL ✓ten sam produkt

Deserializacja niezaufanych danych w N-Able N-Central umożliwia RCE

CVE-2025-8876CRITICAL9.4⚠ KEVPL ✓ten sam produkt

OS Command Injection w N-able N-central (przed wersją 2025.3.1)

CVE-2025-11366CRITICAL9.4PL ✓ten sam produkt

Authentication bypass via path traversal w N-Able N-Central

CVE-2024-28200CRITICAL9.1PL ✓ten sam produkt

Authentication Bypass interfejsu użytkownika w N-Able N-Central

CVE-2024-5322CRITICAL9.1PL ✓ten sam produkt

Authentication Bypass w N-Able N-Central poprzez session rebinding (Entra SSO)