CISA Flags Actively Exploited n8n RCE Bug as 24,700 Instances Remain Exposed

CISA Flags Actively Exploited n8n RCE Bug as 24,700 Instances Remain Exposed Ravie LakshmananMar 12, 2026Vulnerability / Enterprise Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting n8n to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2025-68613 (CVSS score: 9.9), concerns a case of expression injection that leads to remote code execution. The security shortcoming was patched by n8n in December 2025 in versions 1.120.4, 1.121.1, and 1.122.0. CVE-2025-68613 is the first n8n vulnerability to be placed in the KEV catalog. "N8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution," CISA said. According to the maintainers of the workflow automation platform, the vulnerability could be weaponized by an authenticated attacker to execute arbitrary code with the privileges of the n8n process. Successful exploitation of the flaw could result in a complete compromise of the instance, enabling the attacker to access sensitive data, modify workflows, or execute system-level operations. There are currently no details on how the vulnerability is being exploited in the wild. Data from the Shadowserver Foundation shows that there are more than 24,700 unpatched instances exposed online, with more than 12,300 of them located in North America and 7,800 in Europe as of early February 2026. The addition of CVE-2025-68613 comes as Pillar Security disclosed two critical flaws in n8n, one of which – CVE-2026-27577 (CVSS score: 9.4) – has been classified as "additional exploits" discovered in the workflow expression evaluation system following CVE-2025-68613. Federal Civilian Executive Branch (FCEB) agencies have been ordered to patch their n8n instances by March 25, 2026, as mandated by a Binding Operational Directive (BOD 22-01) issued in November 2021. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  CISA, cybersecurity, enterprise security, n8n, remote code execution, software security, Threat Intelligence, Vulnerability Trending News Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Load More ▼ Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Identity Controls Checklist: Find Missing Protections in Apps