CISA Flags Actively Exploited n8n RCE Bug as 24,700

24,700 n8n Instances Still Exposed as CISA Flags Active Exploitation

CISA has added a critical remote code execution vulnerability in the n8n workflow automation platform to its Known Exploited Vulnerabilities (KEV) catalog, as internet exposure data shows more than 24,700 n8n instances remain publicly accessible — the vast majority still running vulnerable versions.

CVE-2025-68613, rated CVSS 9.9, is an improper control of dynamically-managed code resources vulnerability in n8n's expression evaluation subsystem. Exploitation allows an attacker to execute arbitrary commands on the n8n server without needing physical access or deep technical knowledge.

The Scale of the Problem

Internet scanning platforms including Shodan and FOFA reveal a striking level of exposure: as of the week of March 11, 2026, more than 24,700 n8n instances are discoverable and reachable from the public internet. Among this exposed population:

• A significant portion have no authentication or rely solely on basic HTTP credentials
• Many expose webhook endpoints that can trigger workflow execution from any external source
• Instances in DevOps and security environments often hold credentials for cloud infrastructure, CI/CD pipelines, and internal tooling

This exposure level, combined with a CVSS 9.9 RCE vulnerability confirmed as actively exploited, creates conditions for mass exploitation campaigns — automated scanning and compromise at scale.

Vulnerability Details

How the Vulnerability Works

n8n's expression evaluation engine processes {{ }} syntax embedded in workflow node configurations. This engine is intended to be sandboxed, restricting what code can be executed. CVE-2025-68613 exploits a flaw in how the sandbox controls dynamically-managed code resources — essentially, the sandbox fails to prevent certain expression patterns from reaching Node.js runtime primitives.

Once an attacker gains access to the runtime, they can invoke system calls equivalent to child_process.exec(), giving them full command execution on the host with the privileges of the n8n process.

Why n8n Is a Prime Target

n8n sits at the intersection of infrastructure access and credential storage, making it exceptionally valuable to attackers:

An attacker who achieves RCE on a central n8n instance in an enterprise environment effectively gains a master key to every service the automation platform connects to.

Active Exploitation: What CISA's KEV Means

CISA's KEV catalog is not theoretical — entries require evidence of actual exploitation in the wild. The agency's addition of CVE-2025-68613 on March 11 confirms that threat actors are actively scanning for and compromising vulnerable n8n instances right now.

Historically, once a vulnerability reaches CISA's KEV catalog, exploitation activity accelerates rapidly as lower-sophistication actors follow the signal. The 21-day remediation window for federal agencies reflects CISA's assessment of urgency.

Remediation

Update to n8n 1.88.0 immediately. This is the minimum patched version.

For organizations that cannot patch immediately:

• Disable internet exposure — remove n8n from any public-facing network segment
• Block external access to webhook endpoints — use firewall rules or reverse proxy ACLs
• Enable authentication if not already configured — at minimum, use n8n's built-in user management
• Monitor for exploitation indicators — unexpected child processes spawning from n8n, unusual outbound connections, credential access events in connected services

Post-patch actions:

• Rotate all credentials stored in n8n's credential manager
• Audit connected service accounts for unauthorized activity
• Review workflow execution history for signs of tampering

Sources

• The Hacker News — CISA Flags Actively Exploited n8n RCE Bug
• CISA KEV Catalog
• NVD — CVE-2025-68613

Related Reading

• CVE-2025-68613: n8n Remote Code Execution via Improper
• CISA Orders Federal Agencies to Patch n8n RCE Flaw
• Researchers Disclose Critical n8n Flaws Enabling RCE and