CISA Flags Actively Exploited n8n RCE Bug as 24,700

What Happened

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has formally added a critical remote code execution (RCE) vulnerability in the n8n workflow automation platform to its Known Exploited Vulnerabilities (KEV) catalog. This action, taken on Wednesday, is based on confirmed evidence of active exploitation in the wild. The flaw, tracked as CVE-2025-68613, affects n8n instances with specific, common configurations. Concurrently, internet scans reveal that approximately 24,700 n8n instances remain publicly exposed and likely unpatched, presenting a massive attack surface for threat actors.

Why It Matters

n8n is a widely used, open-source tool for connecting APIs and automating workflows, often integrated into critical business processes and handling sensitive data. Its compromise can serve as a high-value initial access vector into an organization’s internal network. CISA’s KEV designation mandates that all U.S. federal civilian agencies patch this vulnerability by a specified deadline, underscoring the severity. For the private sector, this is a strong indicator that sophisticated attackers are already weaponizing this flaw, making it a top-priority patch for any organization using n8n to prevent potential system takeover and data breach.

Technical Details

The specific technical details of CVE-2025-68613 are not fully public, but it is a critical-severity vulnerability that allows unauthenticated remote attackers to execute arbitrary code on the host server. The exploitation is tied to a default or common configuration setting within n8n. Successful exploitation does not require user interaction, making it a prime target for automated scanning and attack scripts. The vulnerability affects n8n versions prior to the patched release. The 24,700 exposed instances identified are primarily those accessible on the public internet without proper access controls or network segmentation.

Immediate Risk

The risk is immediate and critical. With CISA confirming active exploitation and a vast pool of exposed targets, widespread attacks are inevitable. Unpatched and exposed n8n instances are at direct risk of complete compromise. Attackers can leverage this flaw to deploy ransomware, establish persistent backdoors, steal credentials and data from connected services, or move laterally within the network. Organizations that have not yet applied the patch or secured their n8n deployment behind a firewall are operating under an active threat.

Security Insight

This event highlights the acute danger of internet-exposed, under-secured business applications. The first and most critical action is to immediately update n8n to the latest patched version. However, patching alone is insufficient. Security teams must also enforce the principle of least exposure: n8n instances should never be directly accessible from the internet. They must be placed behind a VPN, strict firewall rules, or within a private network segment. Additionally, review n8n configuration guides to disable any default settings that weaken security. Treat any automation platform with high-level network access as a critical asset requiring robust protection.