Urgent Security Alert: Critical N-able N-central Flaws Actively Exploited
Cybersecurity authorities are issuing a critical warning regarding two severe vulnerabilities in N-able’s N-central remote monitoring and management (RMM) software. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that these flaws are being actively exploited in the wild and has added them to its Known Exploited Vulnerabilities (KEV) catalog, signaling a significant and immediate threat to organizations.
These vulnerabilities, if left unpatched, could allow attackers to gain complete control over affected systems, creating a major security risk for managed service providers (MSPs) and IT departments that rely on this widely used platform.
Understanding the Critical Flaws
The two vulnerabilities at the heart of this alert create a dangerous attack chain that can be executed by an unauthenticated remote attacker.
- CVE-2023-7102: This is an uncontrolled search path vulnerability that allows an attacker to upload a malicious file to a specific, trusted directory on the N-central server.
- CVE-2023-7101: This is an improper authentication flaw. By leveraging this vulnerability, the attacker can then trigger the N-central system to execute their malicious file, effectively bypassing all security checks.
When combined, these two security gaps allow an attacker to achieve remote code execution with SYSTEM-level privileges—the highest level of access on a Windows system.
The Impact: A Gateway to Your Entire Network
The compromise of an RMM tool like N-able N-central is exceptionally dangerous. Because these platforms are designed to manage and access numerous client endpoints, a successful attack provides a powerful launchpad for widespread, supply-chain-style attacks.
Once an attacker gains administrative control over the N-central server, they can potentially:
- Create new, rogue administrator accounts to maintain persistent access.
- Deploy malware, including ransomware, across all connected client systems.
- Steal sensitive data from both the central server and managed endpoints.
- Disable security tools and erase logs to cover their tracks.
The potential for lateral movement and broad network compromise makes patching these vulnerabilities a top priority for all N-able N-central users.
Immediate Steps to Secure Your Environment
Given the active exploitation of these vulnerabilities, immediate action is required to protect your infrastructure and your clients. Follow these essential security measures without delay.
Patch Immediately: N-able has released patches to address these critical flaws. Organizations using N-able N-central must upgrade to a secure version as soon as possible. The vulnerabilities affect N-central version 2023.8 and earlier. The issue is resolved in version 2023.9 HF1 and later.
Apply Mitigations: For those unable to patch immediately, N-able has also provided a mitigation script. While patching is the only definitive solution, this script can serve as a crucial temporary measure to disrupt the attack chain.
Hunt for Signs of Compromise: Since these vulnerabilities are being exploited as zero-days, it is vital to audit your systems for any signs of malicious activity. Carefully review N-central user accounts for any unauthorized or suspicious administrator-level profiles. Check system logs for unusual file uploads or unexpected process executions related to the N-central agent service.
The confirmation of active attacks elevates this situation from a potential risk to a clear and present danger. Proactive patching and thorough security audits are no longer optional—they are essential steps to defend against a confirmed threat.
Source: https://www.bleepingcomputer.com/news/security/cisa-warns-of-n-able-n-central-flaws-exploited-in-zero-day-attacks/
