The U.S. cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in the n8n workflow automation platform to its catalog of actively exploited vulnerabilities. The agency took this action on Wednesday, citing clear evidence that malicious actors are currently leveraging the bug in attacks.
The vulnerability, identified as CVE-2025-68613, carries a severe CVSS risk score of 9.9 out of a possible 10. It is classified as an expression injection flaw that can be exploited to achieve remote code execution (RCE). This allows an attacker to run arbitrary commands on a vulnerable server, potentially leading to a full system compromise.
Scope of the Exposure
According to recent internet scans, approximately 24,700 instances of n8n remain publicly exposed and potentially vulnerable to this exploit. This significant number of unpatched systems presents a widespread risk to organizations using the platform for business process automation and integrations.
n8n is an open-source, low-code tool popular with developers and IT teams for connecting various applications and services. Its ability to handle sensitive data and execute workflows makes it a high-value target for cybercriminals seeking to infiltrate corporate networks.
Official Guidance and Patching
CISA’s inclusion of the flaw in its Known Exploited Vulnerabilities (KEV) catalog carries a binding directive for U.S. federal civilian executive branch agencies. These agencies are required to apply the available security patch by a specified deadline to secure their networks.
The n8n development team has already released a software update that addresses the security shortcoming. CISA strongly urges all administrators of n8n, both in the public and private sectors, to prioritize applying this patch immediately to block ongoing exploitation attempts.
Broader Implications for Security
This event highlights the persistent threat posed by vulnerabilities in widely used automation and integration software. Security researchers note that such platforms, often granted high levels of system access, can serve as powerful entry points for attackers if left unsecured.
The rapid active exploitation following the disclosure of a proof-of-concept demonstrates the speed at which threat actors operationalize new attack methods. It underscores the critical importance of prompt patch management as a foundational cybersecurity practice.
Looking ahead, cybersecurity teams are expected to intensify scans for vulnerable n8n instances within their environments. CISA and industry partners will likely continue monitoring attack patterns related to this flaw, and may release additional defensive guidance if new exploitation techniques emerge. The focus remains on reducing the substantial number of exposed systems before more organizations fall victim to attacks.
Source: Original agency release and security advisories
