Proof of concept exploit for N-able N-central to chain CVE-2025-9316 and CVE-2025-11700 to read files# N-able N-central Unauthenticated XXE Sensitive Information Leak
Proof of concept exploit for N-able N-central to chain CVE-2025-9316 and CVE-2025-11700 to read files which contain credentials
## Blog Post
Deep-dive analysis here:
[https://www.horizon3.ai/attack-research/attack-blogs/n-able-n-central-from-n-days-to-0-days/](https://www.horizon3.ai/attack-research/attack-blogs/n-able-n-central-from-n-days-to-0-days/)
## Usage
```
% python3 ncentral_xxe_file_read.py -h
usage: ncentral_xxe_file_read.py [-h] --url URL --listen-ip LISTEN_IP --listen-port LISTEN_PORT [--file FILE] [--appliance-id APPLIANCE_ID] [--test-only]
N-able N-Central XXE Vulnerability Exploit
options:
-h, --help show this help message and exit
--url URL N-Central Base URL
--listen-ip LISTEN_IP
IP address for DTD server to bind to
--listen-port LISTEN_PORT
Port for DTD server to bind to
--file FILE Target file to read (default: /etc/passwd)
--appliance-id APPLIANCE_ID
Appliance ID to use (default: 3)
--test-only Only test endpoint accessibility
```
## Follow the Horizon3.ai Attack Team on Twitter for the latest security research:
* [Horizon3 Attack Team](https://twitter.com/Horizon3Attack)
* [James Horseman](https://twitter.com/JamesHorseman2)
* [Zach Hanley](https://twitter.com/hacks_zach)
## Disclaimer
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.
[4.0K] /data/pocs/dd5f2ca1fdfb854a035ec5dbd6d7bb7ea882b86e
├── [ 15K] ncentral_xxe_file_read.py
└── [1.7K] README.md
1 directory, 2 files