|
40062 | 40062 | "needs_cleanup": false, |
40063 | 40063 | "actions": [] |
40064 | 40064 | }, |
| 40065 | + "auxiliary_scanner/http/nable_ncentral_auth_bypass_xxe": { |
| 40066 | + "name": "N-able N-Central Authentication Bypass and XXE Scanner", |
| 40067 | + "fullname": "auxiliary/scanner/http/nable_ncentral_auth_bypass_xxe", |
| 40068 | + "aliases": [], |
| 40069 | + "rank": 300, |
| 40070 | + "disclosure_date": "2025-11-17", |
| 40071 | + "type": "auxiliary", |
| 40072 | + "author": [ |
| 40073 | + "Zach Hanley (Horizon3.ai)", |
| 40074 | + "Valentin Lobstein <chocapikk@leakix.net>" |
| 40075 | + ], |
| 40076 | + "description": "This module scans for vulnerable N-able N-Central instances affected by\n CVE-2025-9316 (Unauthenticated Session Bypass) and CVE-2025-11700 (XXE).\n\n The module attempts to exploit CVE-2025-9316 by sending a sessionHello SOAP\n request to the ServerMMS endpoint with various appliance IDs to obtain an\n unauthenticated session. If successful, it then tests for CVE-2025-11700\n by writing an XXE payload file and triggering it via importServiceTemplateFromFile.\n\n Files of interest that can be read via XXE:\n - /opt/nable/var/ncsai/etc/ncbackup.conf\n - /var/opt/n-central/tmp/ncbackup/ncbackup.bin (PostgreSQL dump)\n - /opt/nable/etc/keystore.bcfks (encrypted keystore)\n - /opt/nable/etc/masterPassword (keystore password)\n\n Affected versions: N-Central < 2025.4.0.9", |
| 40077 | + "references": [ |
| 40078 | + "CVE-2025-9316", |
| 40079 | + "CVE-2025-11700", |
| 40080 | + "URL-https://horizon3.ai/attack-research/attack-blogs/n-able-n-central-from-n-days-to-0-days/" |
| 40081 | + ], |
| 40082 | + "platform": "", |
| 40083 | + "arch": "", |
| 40084 | + "rport": 80, |
| 40085 | + "autofilter_ports": [ |
| 40086 | + 80, |
| 40087 | + 8080, |
| 40088 | + 443, |
| 40089 | + 8000, |
| 40090 | + 8888, |
| 40091 | + 8880, |
| 40092 | + 8008, |
| 40093 | + 3000, |
| 40094 | + 8443 |
| 40095 | + ], |
| 40096 | + "autofilter_services": [ |
| 40097 | + "http", |
| 40098 | + "https" |
| 40099 | + ], |
| 40100 | + "targets": null, |
| 40101 | + "mod_time": "2025-12-11 18:57:18 +0000", |
| 40102 | + "path": "/modules/auxiliary/scanner/http/nable_ncentral_auth_bypass_xxe.rb", |
| 40103 | + "is_install_path": true, |
| 40104 | + "ref_name": "scanner/http/nable_ncentral_auth_bypass_xxe", |
| 40105 | + "check": false, |
| 40106 | + "post_auth": false, |
| 40107 | + "default_credential": false, |
| 40108 | + "notes": { |
| 40109 | + "Stability": [ |
| 40110 | + "crash-safe" |
| 40111 | + ], |
| 40112 | + "SideEffects": [ |
| 40113 | + "ioc-in-logs" |
| 40114 | + ], |
| 40115 | + "Reliability": [] |
| 40116 | + }, |
| 40117 | + "session_types": false, |
| 40118 | + "needs_cleanup": false, |
| 40119 | + "actions": [] |
| 40120 | + }, |
40065 | 40121 | "auxiliary_scanner/http/nagios_xi_scanner": { |
40066 | 40122 | "name": "Nagios XI Scanner", |
40067 | 40123 | "fullname": "auxiliary/scanner/http/nagios_xi_scanner", |
|
0 commit comments