n8n RCE via CVE-2025-68613 — CISA Flags Active Exploitation

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-68613 to its Known Exploited Vulnerabilities (KEV) catalog. This decision follows evidence of active exploitation against n8n, a popular workflow automation platform. The flaw, which carries a CVSS score of 9.9, enables unauthenticated RCE through a sophisticated expression injection technique.

According to The Hacker News, approximately 24,700 n8n instances remain exposed to the public internet, many of which may still be running vulnerable configurations. For organizations utilizing n8n to manage sensitive data transfers or infrastructure orchestration, the risk of a full system compromise is high.

Technical Analysis of the n8n Expression Injection Vulnerability

The vulnerability is rooted in how the n8n application evaluates expressions—a core feature that allows users to perform logic and data manipulation within workflows. Because n8n is designed to be a low-code environment, it frequently processes strings that contain executable logic. When user-controlled input is passed into these evaluation functions without sufficient sanitization, an attacker can craft a malicious payload to break out of the intended sandbox.

Successful exploitation of the n8n expression injection vulnerability allows an adversary to execute arbitrary code with the privileges of the n8n process. In many self-hosted deployments, this process runs with significant permissions, potentially allowing the attacker to interact with the underlying host OS, access environment variables containing API keys, or pivot to internal network resources. This makes the flaw a prime target for an APT seeking initial access or Lateral Movement within a corporate network.

How to Detect CVE-2025-68613 Exploit Activity

Defenders should prioritize visibility into their automation platform’s execution logs. To identify potential compromise, SOC analysts should search for anomalous JavaScript or Node.js function calls within workflow execution history that do not align with standard business logic. Specifically, watch for unexpected calls to child_process, fs, or process modules, which are often leveraged by attackers to facilitate C2 communication or data exfiltration.

Furthermore, monitoring for outbound network connections from n8n containers to unknown IP addresses can reveal an ongoing compromise. Because n8n is often integrated with numerous third-party services, establishing a baseline for legitimate traffic is essential for effective SIEM alerting. Any deviation from this baseline should be treated as a high-fidelity IoC.

Remediation and Mitigation Strategies

The primary recommendation for all administrators is to update their n8n instances to the latest secure version immediately. While n8n has released patches to address this security shortcoming, the significant number of internet-facing instances suggests that many self-hosted users have not yet applied the fix.

Beyond patching, organizations should implement n8n remote code execution mitigation by adopting Zero Trust principles. This includes:

• Network Segmentation: Isolate n8n instances from the broader internal network and restrict outbound access to only necessary API endpoints.
• Environment Hardening: Run n8n within a restricted container environment with a non-root user and limited filesystem access.
• Authentication: Ensure that n8n instances are behind a VPN or an identity-aware proxy, preventing unauthenticated access to the web interface and API endpoints.

Mapping this threat to the MITRE ATT&CK framework, the exploitation of CVE-2025-68613 corresponds to Exploit Public-Facing Application (T1190). Continuous monitoring via EDR on the host machine is recommended to detect post-exploitation behavior such as credential harvesting or the deployment of secondary malware.