A critical vulnerability in the Linux kernel’s netfilter ipset subsystem has been discovered that allows local attackers to escalate privileges to root-level access. 

The flaw, identified in the bitmap:ip implementation within the ipset framework, stems from insufficient range validation when processing CIDR notation in IP address ranges. 

This missing bounds check enables attackers to trigger out-of-bounds memory writes in kernel space, ultimately providing a pathway to full system compromise. 

Key Takeaways
1. Critical vulnerability in Linux kernel's netfilter ipset subsystem allows attackers to trigger out-of-bounds memory writes.
2. Attackers with local access can exploit this flaw to gain root privileges.
3. Immediately update to patched kernel versions.

The vulnerability affects kernel versions up to 6.12.2 and has been addressed through a recently released patch that implements proper range validation across all code paths.

Linux Kernel Netfilter Vulnerability

SSD Secure Disclosure reports that the security flaw resides in the bitmap_ip_uadt function within the net/netfilter/ipset/ip_set_bitmap_ip.c file, where insufficient validation occurs when processing CIDR-based IP ranges. 

The ipset subsystem, designed for high-performance packet filtering in conjunction with iptables and nftables, uses bitmap data structures to efficiently manage sets of IPv4 addresses. 

When users specify IP ranges using CIDR notation through the netfilter netlink interface, the vulnerable code path fails to verify that the calculated IP range falls within the allocated bitmap boundaries.

The root cause emerges when the tb[IPSET_ATTR_CIDR] attribute is present but tb[IPSET_ATTR_IP_TO] is absent. 

In this scenario, the ip_set_mask_from_to function calculates new ip and ip_to values based on the CIDR mask, but unlike the explicit range case, no validation ensures the resulting ip value doesn’t underflow below map->first_ip. 

This creates a situation where crafted CIDR values can cause integer underflow, leading to out-of-bounds array access when the calculated index is truncated from u32 to u16 during bitmap operations.

Exploitation of this vulnerability requires local access but no special privileges, making it particularly dangerous in multi-user environments or containerized systems. 

Attackers can leverage the netfilter netlink socket interface to send maliciously crafted ipset commands that trigger the vulnerable code path. 

By carefully constructing bitmap:ip set creation and addition operations with specific CIDR values, attackers can achieve controlled out-of-bounds writes beyond the allocated bitmap memory region.

The exploitation technique involves creating multiple bitmap:ip objects to establish a predictable memory layout, then using the out-of-bounds write primitive to overwrite critical kernel data structures. 

Specifically, attackers can modify the members pointer of adjacent bitmap_ip objects, transforming the limited write primitive into arbitrary memory write capabilities.

The proof-of-concept demonstrates overwriting the core_pattern kernel parameter, which controls how core dumps are processed, allowing attackers to execute arbitrary commands with root privileges when triggering a segmentation fault.

The vulnerability’s impact extends beyond simple privilege escalation, as successful exploitation grants attackers complete control over the affected system. 

This includes the ability to install rootkits, modify system configurations, access sensitive data, and potentially pivot to other systems on the network. 

Organizations running affected kernel versions should prioritize applying the available patch, which addresses the issue by implementing a comprehensive range validation that checks both ip < map->first_ip and ip_to > map->last_ip conditions regardless of how the IP range is specified.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Linux Kernel Netfilter Vulnerability Let Attackers Escalate Privileges appeared first on Cyber Security News.

Over 1,000 exposed and unpatched N-able N-central Remote Monitoring and Management (RMM) servers are vulnerable to two newly disclosed zero-day vulnerabilities – CVE-2025-8875 and CVE-2025-8876. 

As of August 15, 2025, exactly 1,077 unique IPs have been identified as running outdated N-central versions, presenting a significant risk to managed service providers (MSPs) and their clients. 

These vulnerabilities are now tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, underlining their severity.

Key Takeaways
1. 1,077 unpatched N-able N-central RMM servers exposed to CVE-2025-8875 & CVE-2025-8876 zero-days.
2. RCE vulnerabilities allow attackers to compromise MSP environments.
3. Immediate upgrade required.

The Shadowserver Foundation scan data reveals that unpatched servers are concentrated in the United States (440 IPs), Canada (112 IPs), the Netherlands (110 IPs), and the United Kingdom (98 IPs), with additional exposed instances found in Australia and South Africa. 

Top affected countries

N-able N-central Vulnerabilities

Both vulnerabilities affect HTTP-accessible N-central deployments and remain exploitable until administrators apply the newly released version 2025.3.1 security patch.

CVE-2025-8875 and CVE-2025-8876 are classified as authentication-required RCE (Remote Code Execution) vulnerabilities. 

While authentication limits initial attack vectors, threat actors who obtain credentials—through phishing or prior compromises—can exploit these flaws to execute arbitrary commands, escalate privileges, and potentially pivot within MSP-managed environments.

N-able’s recommended upgrade path is critical: “You must upgrade your on-premises N-central to 2025.3.1. 

Details of the CVEs will be published three weeks after the release as per our security practices.” 

The update introduces vital audit logging improvements for SSH and scheduled tasks (such as “SSH Login”, “Scheduled Task Edited”, “Script Deleted”) and supports Syslog export for enhanced compliance monitoring.

Administrators can configure the new audit logging using:

Alongside these security upgrades, N-central’s Device Management API has improved automation. MSPs can now onboard endpoints in bulk via POST /api/device and retrieve application details using:

These enhancements empower defenders to audit user activity and accelerate device onboarding, but require timely remediation. 

Any instances receiving Shadowserver alerts should be immediately reviewed for compromise and patched using N-able’s official update.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post 1000+ Exposed N-able N-central RMM Servers Unpatched for 0-Day Vulnerabilities appeared first on Cyber Security News.