Security & Infrastructure Tools
CISA orders feds to patch n8n RCE flaw exploited in attacks
CISA has ordered federal agencies to patch an actively exploited remote‑code‑execution flaw in the open‑source workflow platform n8n (CVE‑2025‑68613) by March 25, citing the vulnerability’s potential to compromise sensitive data and system operations. The n8n team released a fix in version 1.122.0 and advised administrators to apply it immediately or restrict workflow permissions as interim mitigation. Shadowserver reports over 40,000 unpatched instances online, with significant exposure in North America and Europe. CISA urges all network defenders to secure their systems against this threat as soon as possible.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive on Wednesday, requiring federal agencies to patch their n8n instances by March 25th. The open‑source workflow automation platform, which is widely used for AI data ingestion, has been found vulnerable to a remote code execution flaw identified as CVE‑2025‑68613.
This vulnerability exploits the dynamic evaluation of workflow expressions within n8n, allowing authenticated attackers to run arbitrary code on the server with the privileges of the n8n process. In practice, this means that an attacker could gain full control over an affected instance, access sensitive credentials stored in workflows (API keys, database passwords, OAuth tokens, CI/CD secrets), modify or delete workflow configurations, and even execute system‑level operations.
The n8n team released a patch—version 1.122.0—in December to address CVE‑2025‑68613, and they urge administrators to upgrade immediately. For those unable to update right away, the team recommends limiting workflow creation and editing permissions to trusted users only, restricting operating system privileges, and tightening network access as interim mitigations.
Shadowserver’s monitoring shows that over 40,000 unpatched n8n instances remain exposed online, with more than 18,000 IPs in North America and 14,000 in Europe. The vulnerability has already been exploited in active attacks, underscoring the critical need for timely remediation.
CISA added this flaw to its Known Exploited Vulnerabilities (KEV) catalog under BOD 22‑01, a binding operational directive issued in November 2021 that mandates federal agencies to patch known vulnerabilities. While BOD 22‑01 applies specifically to federal entities, CISA has encouraged all network defenders—private and public—to secure their systems against CVE‑2025‑68613 as soon as possible.
Since the beginning of 2026, the n8n security team has tackled several severe vulnerabilities, including a “Ni8mare” flaw that permits remote attackers to hijack unpatched servers. The ongoing threat landscape highlights the importance of staying up to date with vendor patches and following best‑practice mitigations to protect critical infrastructure from exploitation.