H3-2025-0054

N-able N-central Authenticated XML External Entity (XXE) Vulnerability

Description

This series of vulnerabilities were discovered by Horizon3.ai researchers and responsibly disclosed to N-able as 0-days. H3-2025-0054 (CVE-2025-11700) combines an authentication bypass, an authenticated file upload, and an authenticated XXE vulnerability to read files on the N-central appliance.

Impact

Unauthenticated attackers with access to the N-central SOAP API service, listening by default on tcp/80 and tcp/443, can read most files on the N-central appliance which can leak session tokens for authenticated users and background services. Access to these session tokens allows the attacker to interact with many sensitive appliance operations, manage integrated appliances, and read service secrets.

References

• N-able N-central Authenticated XML External Entity (XXE) Vulnerability
• N-able N-central 2025.4.0.9 Release Notes
• NVD: CVE-2025-11700