CVE-2025-11700

HIGH EXPLOITED NUCLEI

N-able N-Central Authentication Bypass and XXE Scanner

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2025-11700 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including horizon3ai, zyyyys123, Zach Hanley (Horizon3.ai), including a Metasploit module auxiliary/scanner/http/nable_ncentral_auth_bypass_xxe. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python exploit for chaining CVE-2025-9316 and CVE-2025-11700 to perform an unauthenticated XXE attack on N-able N-central, allowing sensitive file reads. The exploit includes a DTD server and multi-step SOAP request handling to extract credentials.

Description

N-central versions < 2025.4 are vulnerable to multiple XML External Entities injection leading to information disclosure

Exploits (3)

github WORKING POC 2 stars
by horizon3ai · pythonremote
https://github.com/horizon3ai/n-able_n-central_xxe_file_read

This repository contains a functional Python exploit for chaining CVE-2025-9316 and CVE-2025-11700 to perform an unauthenticated XXE attack on N-able N-central, allowing sensitive file reads. The exploit includes a DTD server and multi-step SOAP request handling to extract credentials.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: N-able N-central
No auth needed
Prerequisites: Network access to the N-central server · Python 3 environment
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC
by zyyyys123 · gopoc
https://github.com/zyyyys123/CVE-2025-9316_CVE-2025-11700

This repository contains a functional Go-based exploit for CVE-2025-11700, an XXE vulnerability in N-able N-central. The exploit demonstrates a multi-step attack to extract a session ID, upload an XXE payload, and trigger the vulnerability to read arbitrary files.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: N-able N-central (versions prior to 2025.4)
No auth needed
Prerequisites: network access to the target · DNSLog domain for verification
devstral-2 · analyzed May 01, 2026 Full analysis →
metasploit WORKING POC
by Zach Hanley (Horizon3.ai) · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/nable_ncentral_auth_bypass_xxe.rb

This Metasploit module exploits CVE-2025-9316 (authentication bypass) and CVE-2025-11700 (XXE) in N-able N-Central. It first bypasses authentication via SOAP requests with appliance IDs, then leverages XXE to read arbitrary files.

Classification
Working Poc 95%
Attack Type
Auth Bypass | Info Leak
Complexity
Moderate
Reliability
Reliable
Target: N-able N-Central < 2025.4.0.9
No auth needed
Prerequisites: Network access to N-Central server · SOAP endpoint exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

N-central - XML External Entities Injection
HIGHVERIFIEDby DhiyaneshDK,horizon3ai
Shodan: http.title:"N-central Login"

References (1)

Core 1

Scores

CVSS v3 7.5
EPSS 0.5295
EPSS Percentile 98.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

VulnCheck KEV 2025-12-15
CWE
CWE-611
Status published
Products (1)
n-able/n-central < 2025.4
Published Nov 12, 2025
Tracked Since Feb 18, 2026