CISA Mandates Patch for Actively Exploited n8n RCE Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency has issued a mandatory directive for federal agencies to address a critical security flaw in the n8n workflow automation platform. Tracked as CVE-2025-68613, this remote code execution vulnerability is now listed on CISA’s Known Exploited Vulnerabilities catalog, requiring federal civilian agencies to apply patches by March 25. This action underscores the serious risk posed by the flaw, which is already being actively leveraged by malicious actors in ongoing attacks.

n8n is a popular open-source tool for automating workflows, particularly in artificial intelligence development and data processing. It boasts substantial adoption, with tens of thousands of weekly downloads and over one hundred million pulls on Docker Hub. Because it functions as a central automation hub, n8n instances frequently contain highly sensitive information. This includes API keys, database credentials, OAuth tokens, and various cloud and CI/CD secrets, making compromised systems a treasure trove for threat actors.

The specific vulnerability exists within the platform’s workflow expression evaluation system. It involves improper control of dynamically managed code resources. In practical terms, an authenticated attacker can exploit this weakness to run arbitrary code on a vulnerable server, operating with the same privileges as the n8n process itself. A successful attack could result in a full system compromise. The n8n security team warns this could lead to unauthorized access to sensitive data, the ability to modify existing workflows, and the execution of commands at the system level.

The n8n developers resolved the issue in December with the release of version 1.122.0. They have strongly urged all administrators to apply this update without delay. For organizations unable to upgrade immediately, temporary mitigation strategies are available. These include restricting workflow creation and editing permissions exclusively to fully trusted users. Administrators are also advised to limit the operating system privileges of the n8n process and constrain its network access to reduce the potential impact of an exploit.

The scale of the exposure is significant. According to internet monitoring by the Shadowserver Foundation, more than 40,000 unpatched n8n instances remain exposed on the public internet. Geographic analysis shows a heavy concentration in North America, with over 18,000 vulnerable IPs, followed by Europe with more than 14,000. This widespread exposure creates a large attack surface for cybercriminals to target.

CISA’s binding operational directive, BOD 22-01, provides the authority for the mandatory patching order for federal agencies. The agency emphasized that this category of flaw is a common vector for malicious activity and represents a substantial risk to federal systems. Their guidance is clear: apply the vendor-provided mitigations, adhere to specific cloud service directives, or discontinue using the product if no fixes are available. While the directive formally applies only to federal executive branch agencies, CISA strongly recommends that all organizations using n8n prioritize patching to defend against active exploitation.

This recent critical flaw is part of a series of security issues addressed by the n8n team this year. Earlier in 2025, they patched another severe vulnerability nicknamed “Ni8mare,” which allowed unauthenticated remote attackers to take over unpatched servers. The consecutive discovery of such high-severity bugs highlights the importance of maintaining rigorous update cycles for automation and integration platforms that handle sensitive credentials and data.

(Source: Bleeping Computer)