Critical n8n RCE Vulnerability (CVE-2025-68613) Leads to System Compromise
Executive Summary
In December 2025, a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-68613, was discovered in n8n, an open-source workflow automation platform. This flaw, present in versions from 0.211.0 up to but not including 1.120.4, 1.121.1, and 1.122.0, allows authenticated users to execute arbitrary code with the privileges of the n8n process. Exploitation can lead to full system compromise, including unauthorized data access and workflow manipulation. Despite patches being released, as of early February 2026, over 24,700 unpatched instances remain exposed online, with significant concentrations in North America and Europe.
The inclusion of CVE-2025-68613 in CISA's Known Exploited Vulnerabilities catalog underscores the urgency for organizations to address this issue. The widespread exposure highlights the critical need for prompt patching and vigilant security practices to mitigate potential exploitation risks.
Why This Matters Now
The active exploitation of CVE-2025-68613 and the substantial number of unpatched n8n instances pose a significant security threat. Organizations must urgently apply the available patches to prevent potential system compromises and data breaches.
Attack Path Analysis
An authenticated attacker exploited a remote code execution vulnerability in n8n's workflow expression evaluation system to execute arbitrary code, leading to full system compromise. The attacker escalated privileges to gain administrative control, moved laterally within the network to access other systems, established a command and control channel to maintain persistent access, exfiltrated sensitive data, and ultimately disrupted operations by modifying workflows and deploying malware.
Kill Chain Progression
Initial Compromise
Description
An authenticated attacker exploited a remote code execution vulnerability in n8n's workflow expression evaluation system to execute arbitrary code.
Related CVEs
CVE-2025-68613
CVSS 8.8A critical Remote Code Execution (RCE) vulnerability in n8n's workflow expression evaluation system allows authenticated users to execute arbitrary code with the privileges of the n8n process.
Affected Products:
n8n n8n – 0.211.0 to 1.120.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploitation for Client Execution
Exploitation of Remote Services
Command and Scripting Interpreter
Valid Accounts
Create or Modify System Process
Remote Services
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Applications and Workloads
Control ID: Pillar 3
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
High risk from CVE-2025-68613 RCE vulnerability with 24,700 exposed n8n instances enabling complete system compromise and workflow automation infrastructure breaches.
Financial Services
Critical exposure through workflow automation platforms processing sensitive financial data, with compliance violations under PCI DSS and potential complete instance compromise.
Health Care / Life Sciences
Severe HIPAA compliance violations possible through compromised n8n workflows handling patient data, enabling unauthorized access to sensitive healthcare automation systems.
Government Administration
Federal agencies under BOD 22-01 mandate face critical risk with March 25 patching deadline for n8n instances exposed to remote code execution.
Sources
- CISA Flags Actively Exploited n8n RCE Bug as 24,700 Instances Remain Exposedhttps://thehackernews.com/2026/03/cisa-flags-actively-exploited-n8n-rce.htmlVerified
- CVE-2025-68613 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-68613Verified
- CISA Adds One Known Exploited Vulnerability to Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalogVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to execute arbitrary code may have been constrained by enforcing strict identity-aware policies and workload isolation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been limited by enforcing least-privilege access controls and strict segmentation policies.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network could have been constrained by monitoring and controlling east-west traffic between workloads.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels may have been limited by continuous monitoring and control across multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data could have been constrained by enforcing strict egress policies and monitoring outbound traffic.
The attacker's ability to disrupt operations may have been limited by reducing the blast radius through strict segmentation and access controls.
Impact at a Glance
Affected Business Functions
- Workflow Automation
- Data Processing
- System Administration
Estimated downtime: 7 days
Estimated loss: $500,000
Potential unauthorized access to sensitive data, including workflow configurations and processed information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
- • Deploy Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads.
- • Utilize Cloud Firewall (ACF) to control outbound traffic and prevent unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly update and patch systems to mitigate known vulnerabilities and reduce the attack surface.
