CVE-2025-9316

MEDIUM EXPLOITED NUCLEI

N-central <2025.4 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-9316 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including horizon3ai, zyyyys123, Zach Hanley (Horizon3.ai), including a Metasploit module auxiliary/scanner/http/nable_ncentral_auth_bypass_xxe. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2025-9316, an unauthenticated XXE vulnerability in N-able N-central. The exploit chains with CVE-2025-11700 to read sensitive files by leveraging a DTD server and SOAP requests.

Description

N-central < 2025.4 can generate sessionIDs for unauthenticated users This issue affects N-central: before 2025.4.

Exploits (3)

nomisec WORKING POC 2 stars
by horizon3ai · remote
https://github.com/horizon3ai/n-able_n-central_xxe_file_read

This repository contains a functional Python exploit for CVE-2025-9316, an unauthenticated XXE vulnerability in N-able N-central. The exploit chains with CVE-2025-11700 to read sensitive files by leveraging a DTD server and SOAP requests.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: N-able N-central
No auth needed
Prerequisites: Network access to the target N-central instance · Ability to host a DTD server on an accessible IP/port
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by zyyyys123 · poc
https://github.com/zyyyys123/CVE-2025-9316_CVE-2025-11700

This repository contains a functional Go-based exploit for CVE-2025-11700, an XXE vulnerability in N-able N-central. The exploit demonstrates a multi-step attack to extract a session ID, upload an XXE payload, and trigger the vulnerability to read arbitrary files.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: N-able N-central (versions prior to 2025.4)
No auth needed
Prerequisites: network access to the target · valid DNSLog domain for verification
devstral-2 · analyzed Mar 03, 2026 Full analysis →
metasploit WORKING POC
by Zach Hanley (Horizon3.ai) · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/nable_ncentral_auth_bypass_xxe.rb

This Metasploit module exploits CVE-2025-9316 (authentication bypass) and CVE-2025-11700 (XXE) in N-able N-Central. It bypasses authentication via SOAP requests with appliance IDs and leverages XXE to read arbitrary files.

Classification
Working Poc 100%
Attack Type
Auth Bypass | Info Leak
Complexity
Moderate
Reliability
Reliable
Target: N-able N-Central < 2025.4.0.9
No auth needed
Prerequisites: network access to target · SOAP endpoint availability
devstral-2 · analyzed Jun 05, 2026 Full analysis →

Nuclei Templates (1)

N-central - Authentication Bypass
MEDIUMVERIFIEDby DhiyaneshDK,horizon3ai
Shodan: http.title:"N-central Login"

References (1)

Core 1

Scores

CVSS v4 6.9
EPSS 0.7142
EPSS Percentile 98.7%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

VulnCheck KEV 2025-12-15
CWE
CWE-1284
Status published
Products (1)
N-able/N-central < 2025.4
Published Nov 12, 2025
Tracked Since Feb 18, 2026