top of page
Search

CISA Warns of Actively Exploited n8n Remote Code Execution Vulnerability Affecting 24,700 Instances

  • Mar 12
  • 1 min read

Key Findings


* Critical remote code execution vulnerability in n8n workflow platform


* CVE-2025-68613 added to CISA's Known Exploited Vulnerabilities (KEV) catalog


* 24,700 unpatched instances exposed online


* Vulnerability allows authenticated attackers to execute arbitrary code


* FCEB agencies ordered to patch by March 25, 2026


Background


n8n is an open-source workflow automation platform that allows users to connect different applications and services. The vulnerability exists in the platform's workflow expression evaluation system, which can be exploited by authenticated attackers to execute unauthorized code. This is the first n8n vulnerability to be added to CISA's KEV catalog, highlighting the severity of the security issue.


Vulnerability Details


The security flaw, tracked as CVE-2025-68613, carries a critical CVSS score of 9.9. It enables remote code execution through an expression injection vulnerability in the platform's workflow expression evaluation system. Successful exploitation could result in complete compromise of the n8n instance, allowing attackers to:


* Access sensitive data


* Modify existing workflows


* Execute system-level operations


Exposure Analysis


Shadowserver Foundation data reveals significant global exposure:


* Total exposed instances: 24,700


* North American instances: 12,300


* European instances: 7,800


* Remaining instances distributed across other regions


Mitigation and Remediation


n8n has released patches in the following versions:


* Version 1.120.4


* Version 1.121.1


* Version 1.122.0


Regulatory Response


CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies patch their n8n instances by March 25, 2026, as part of Binding Operational Directive (BOD 22-01).


Additional Context


Another critical vulnerability (CVE-2026-27577) was disclosed by Pillar Security, further emphasizing the need for thorough security assessment of the n8n platform.


Sources


  • https://thehackernews.com/2026/03/cisa-flags-actively-exploited-n8n-rce.html

  • https://eromang.zataz.com/2026/03/12/cisa-flags-actively-exploited-n8n-rce-bug-as-24700-instances-remain-exposed/

  • https://x.com/shah_sheikh/status/2031967078044082262

  • https://news.backbox.org/2026/03/12/cisa-flags-actively-exploited-n8n-rce-bug-as-24700-instances-remain-exposed/

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page