The U.S. government cybersecurity agency. United States, CISA has ordered the federal units to update their n8n facilities as a matter of urgency after a vulnerability that is already being exploited in real environments. This is a serious warning because n8n is not a marginal tool: it works as a very popular workflow automation engine in data science and artificial intelligence projects and in data ingestion channels, with a wide user community and mass downloads both in npm as in Docker Hub.
The failure, recorded as CVE-2025-68613, allows remote execution of code on vulnerable servers through the system that evaluates expressions within workflows. In practical terms, an authenticated attacker could get the n8n process to execute arbitrary commands and therefore compromise the complete instance with the credentials of the service itself. That makes every facility a potential store of secrets and a very juicy goal.
The reason this vulnerability is so dangerous is not just the possibility of remote execution, but the kind of information that automation platforms usually contain: API keys, tokens OAuth, database credentials, cloud storage permits and even secrets used in continuous integration processes. Successful access can result in data theft, automated flow manipulation and side movements within the network.
The n8n team published the correction in December in the version v1.122.0 and has recommended that managers implement the update immediately. For organizations that cannot update immediately, developers suggest temporary measures such as restricting the creation and editing of flows to fully reliable users and limiting privileges at the operating system level and network access, with the aim of reducing the attack surface until the patch is applied.
The urgency of the situation became apparent when CISA added this vulnerability to its catalogue of Known Exploited Vulnerabilities (KEV) and required the agencies of the Federal Executive to remedy the bodies concerned by 25 March, in accordance with the binding operational directive BOD 22-01. Although this mandate affects only federal entities, CISA has urged all security officials to act without delay.
Internet exposure indicators amplify the call for action: the Shadowserver surveillance group has identified more than 40,000 unpatched n8n instances accessible from the public network, with a significant concentration in North America and Europe. This scale suggests that not only automated attackers, but targeted actors, have a large field of action to search and exploit unprotected facilities. The Shadowserver follow-up is available on your public panel. Here..
In addition to the specific correction for CVE-2025-68613, the n8n project itself has seen several critical failures in recent months, including a so-called "Ni8mare" that allowed remote attackers without privileges to be made with non-patched servers. This recent record reinforces the idea that the platforms that process automatisms and secrets require continuous management and monitoring, not just point patches.
If you manage n8n instances, it is appropriate to act on several fronts: to identify all the facilities within the organization's inventory, to plan the update to the parcheed version, to rotate keys and credentials that may have been exposed and to review logs and detections in search of abnormal activity. In environments where the update is not immediate, apply strict access controls, segment the network and limit the ability of n8n processes to run commands on the system can mitigate risks until official correction is available. The CISA notice also recalls that, if there are no viable mitigation, the responsible alternative is to stop using the product temporarily.
For further information, see the CISA note on the inclusion of vulnerability in its catalogue. Here. technical information in the national vulnerability register NVD and the safety notice published by the n8n team itself in its GitHub repository, available Here.. These sources offer the concrete steps for patching, as well as additional recommendations to reduce impact if they cannot update immediately.
In short, the combination of a widely used tool, the ability to run code at process level and the presence of thousands of exposed instances makes CVE-2025-68613 one of those vulnerabilities that should not be ignored. Updating as soon as possible, auditing access and rotating secrets are essential actions to avoid intrusion with serious consequences.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...