CVE-2025-11366
Published: 12 November 2025
Description
N-central < 2025.4 is vulnerable to authentication bypass via path traversal
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the path traversal flaw through patching or upgrading to N-central 2025.4.
Prevents authentication bypass via path traversal by enforcing validation of manipulated file path inputs in requests.
Enforces logical access controls to limit unauthorized access even if path traversal partially succeeds in bypassing authentication.
Security SummaryAI
CVE-2025-11366 is a critical authentication bypass vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting N-central versions prior to 2025.4. The issue stems from path traversal (CWE-22), enabling attackers to circumvent authentication mechanisms by manipulating file paths in requests.
Remote attackers with network access can exploit this vulnerability without authentication privileges or user interaction. Successful exploitation provides high-impact access, allowing unauthorized disclosure of sensitive data (C:H), modification of systems or data (I:H), and disruption of services (A:H).
The N-able security advisory at https://me.n-able.com/s/security-advisory/aArVy0000000rcDKAQ/cve202511366-ncentral-authentication-bypass-via-path-traversal provides details on mitigation, including upgrading to N-central 2025.4 or later to address the path traversal flaw.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a path traversal flaw in a network-accessible application (N-central RMM) enabling remote authentication bypass without privileges, directly mapping to exploitation of public-facing applications.