CVE-2025-11367 Overview
CVE-2025-11367 is a critical insecure deserialization vulnerability affecting N-able N-central Software Probe versions prior to 2025.4. This Remote Code Execution (RCE) vulnerability allows unauthenticated attackers to execute arbitrary code on vulnerable systems by sending malicious serialized objects over the network. The vulnerability stems from improper validation of user-supplied data during deserialization operations, a common weakness classified as CWE-502.
Critical Impact
Unauthenticated remote code execution allowing complete system compromise of N-central Software Probe installations with potential lateral movement across managed networks.
Affected Products
- N-able N-central Software Probe versions prior to 2025.4
- N-able N-central Windows Software Probe
Discovery Timeline
- November 12, 2025 - CVE-2025-11367 published to NVD
- November 14, 2025 - Last updated in NVD database
Technical Details for CVE-2025-11367
Vulnerability Analysis
This vulnerability represents a classic insecure deserialization flaw in the N-central Software Probe component. The N-central platform is a remote monitoring and management (RMM) solution widely deployed by managed service providers (MSPs) to oversee client infrastructure. The Software Probe acts as a local agent collecting system data and communicating with the central N-central server.
The deserialization vulnerability allows attackers to craft malicious serialized objects that, when processed by the vulnerable Probe component, result in arbitrary code execution. Because this vulnerability requires no authentication and is exploitable over the network, attackers can gain immediate access to systems running the vulnerable probe software. Given that N-central deployments often have privileged access to numerous client systems, successful exploitation could provide attackers with a foothold for widespread lateral movement across managed environments.
Root Cause
The root cause of CVE-2025-11367 is improper handling of serialized data within the N-central Software Probe. The application fails to adequately validate or sanitize incoming serialized objects before deserializing them. This allows an attacker to inject malicious object graphs that trigger arbitrary code execution during the deserialization process—a pattern commonly referred to as "gadget chain" exploitation in Java and .NET environments.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can remotely target exposed N-central Software Probe instances by sending specially crafted serialized payloads. The vulnerability is particularly severe because:
- The attack can be executed without any credentials
- No user interaction is required
- The probe typically runs with elevated privileges
- MSP environments may have probes deployed across numerous client networks
The attacker constructs a malicious serialized object containing a gadget chain—a sequence of object types that, when deserialized, trigger method invocations leading to code execution. This payload is then transmitted to the vulnerable probe service, which processes the malicious data and executes the attacker's code.
Detection Methods for CVE-2025-11367
Indicators of Compromise
- Unexpected outbound network connections from N-central Software Probe processes
- Suspicious child processes spawned by the probe service executable
- Anomalous serialized data patterns in network traffic to probe listening ports
- Unusual system commands or PowerShell executions originating from probe service context
Detection Strategies
- Monitor network traffic for abnormal payloads targeting N-central probe ports
- Implement application-level logging to capture deserialization events and errors
- Deploy endpoint detection rules to identify gadget chain patterns typical of deserialization attacks
- Use SentinelOne Singularity platform behavioral AI to detect post-exploitation activities
Monitoring Recommendations
- Enable verbose logging on N-central Software Probe services
- Configure network intrusion detection systems to alert on malformed or oversized serialized objects
- Implement continuous monitoring for unauthorized process creation by probe services
- Review N-able security advisories and subscribe to vendor notification channels
How to Mitigate CVE-2025-11367
Immediate Actions Required
- Upgrade N-central Software Probe to version 2025.4 or later immediately
- Audit all N-central deployments to identify vulnerable probe installations
- Restrict network access to probe services using firewall rules where possible
- Monitor probe systems for signs of compromise while preparing for updates
Patch Information
N-able has released version 2025.4 of the N-central Software Probe to address this vulnerability. Organizations should consult the N-able Security Advisory CVE-2025-11367 for detailed upgrade instructions and additional guidance. Given the critical nature of this vulnerability and its potential impact on managed service provider environments, immediate patching is strongly recommended.
Workarounds
- Implement network segmentation to isolate probe services from untrusted networks
- Configure host-based firewalls to restrict access to probe listening ports to known management IP addresses
- Enable enhanced monitoring and alerting for any probe-related process anomalies
- Consider temporarily disabling vulnerable probes in high-risk environments until patches can be applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
