CVE-2025-11367 Overview
CVE-2025-11367 is an insecure deserialization vulnerability [CWE-502] in the N-able N-central Windows Software Probe affecting versions prior to 2025.4. An unauthenticated attacker can send crafted serialized data over the network to achieve remote code execution on the host running the probe. The N-central platform is widely used by managed service providers (MSPs) for remote monitoring and management, which expands the blast radius across downstream customer environments.
Critical Impact
Unauthenticated attackers can execute arbitrary code on systems running the N-central Windows Software Probe, with confidentiality, integrity, and availability all fully compromised and the impact extending to subsequent systems.
Affected Products
- N-able N-central Windows Software Probe versions prior to 2025.4
- Deployments using the affected probe component on Windows hosts
- MSP-managed endpoints reachable through the compromised probe
Discovery Timeline
- 2025-11-12 - CVE-2025-11367 published to the National Vulnerability Database
- 2025-11-14 - Last updated in NVD database
Technical Details for CVE-2025-11367
Vulnerability Analysis
The N-central Software Probe deserializes attacker-controlled data without sufficient validation of the object type or content. Insecure deserialization flaws of this class allow adversaries to instantiate arbitrary objects, trigger gadget chains, and execute code in the context of the probe service. Because the probe typically runs with elevated privileges to perform monitoring, scanning, and remote management tasks, successful exploitation grants attackers substantial control of the affected host.
The vulnerability carries an EPSS probability of 2.089% in the 84th percentile, indicating measurable interest relative to other public CVEs. N-able classifies the issue under their security advisory portal and has shipped a fixed release in N-central 2025.4.
Root Cause
The root cause is unsafe handling of serialized objects within the Windows Software Probe component. The probe accepts serialized input and reconstructs objects without enforcing strict type allow-lists, signature validation, or integrity checks. This is the canonical pattern described by CWE-502: Deserialization of Untrusted Data.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker who can reach the probe's listening service over the network sends a malicious serialized payload. The probe deserializes the payload during normal processing, triggering a gadget chain that executes attacker-supplied commands. From this foothold, adversaries can pivot into managed endpoints because the probe acts as a trusted component within the N-central architecture.
No public proof-of-concept exploit code is currently listed for this CVE. Refer to the N-able Security Advisory for CVE-2025-11367 for vendor-provided technical context.
Detection Methods for CVE-2025-11367
Indicators of Compromise
- Unexpected child processes spawned by the N-central probe service on Windows hosts, particularly cmd.exe, powershell.exe, or script interpreters
- Outbound network connections from the probe process to unfamiliar external IP addresses or domains
- New scheduled tasks, services, or persistence artifacts created shortly after probe activity
- Anomalous inbound traffic to the probe's listening port from non-management subnets
Detection Strategies
- Monitor process lineage to flag the N-central probe binary launching shells, encoded PowerShell, or living-off-the-land binaries
- Apply behavioral rules for unexpected file writes or registry modifications by the probe process
- Inspect network telemetry for serialized object signatures (for example, .NETBinaryFormatter magic bytes or Java AC ED 00 05) targeting the probe service
Monitoring Recommendations
- Centralize Windows event logs, Sysmon process and network events, and EDR telemetry from all hosts running the probe
- Alert on first-time outbound connections from the probe process and on any privilege escalation events tied to its service account
- Audit MSP-to-tenant connections for lateral movement attempts originating from compromised probe hosts
How to Mitigate CVE-2025-11367
Immediate Actions Required
- Upgrade N-central and the Windows Software Probe to version 2025.4 or later without delay
- Inventory every host running the probe component and confirm the installed version against the fixed release
- Restrict network access to probe listeners using host-based firewalls and segmentation so only trusted management infrastructure can reach them
- Review probe hosts for indicators of prior exploitation before applying the patch
Patch Information
N-able has released N-central 2025.4, which remediates the insecure deserialization flaw in the Windows Software Probe. Administrators should follow the upgrade guidance in the N-able Security Advisory for CVE-2025-11367 and validate probe versions post-upgrade.
Workarounds
- Limit network exposure of probe hosts to management VLANs only and block inbound access from user and guest networks
- Run the probe service under a least-privilege account where supported by the deployment guidance
- Increase logging verbosity on probe hosts and forward telemetry to a central SIEM until patching is complete
# Example: restrict inbound access to the probe host using Windows Firewall
# Replace <ProbePort> with the port used by your N-central probe deployment
# and <MgmtSubnet> with the authorized management network range
New-NetFirewallRule -DisplayName "Restrict N-central Probe Inbound" `
-Direction Inbound `
-Action Allow `
-Protocol TCP `
-LocalPort <ProbePort> `
-RemoteAddress <MgmtSubnet>
New-NetFirewallRule -DisplayName "Block N-central Probe Inbound (Default)" `
-Direction Inbound `
-Action Block `
-Protocol TCP `
-LocalPort <ProbePort>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
