Critical n8n RCE Vulnerability (CVE-2025-68613) Exposes Systems to Full Compromise
Executive Summary
In December 2025, a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-68613, was discovered in n8n, an open-source workflow automation platform. This flaw allowed authenticated users to execute arbitrary code on the server by exploiting insufficient isolation in the workflow expression evaluation system. Successful exploitation could lead to full system compromise, including unauthorized access to sensitive data and modification of workflows. (nvd.nist.gov)
The vulnerability was addressed in n8n versions 1.120.4, 1.121.1, and 1.122.0. However, as of March 2026, over 40,000 unpatched instances remain exposed online, with significant concentrations in North America and Europe. (bleepingcomputer.com)
Why This Matters Now
The continued presence of unpatched n8n instances poses a significant security risk, as threat actors actively exploit CVE-2025-68613 to gain unauthorized access and control over affected systems. Immediate patching is crucial to prevent potential data breaches and system compromises.
Attack Path Analysis
An authenticated attacker exploited a vulnerability in n8n's workflow expression evaluation system to execute arbitrary code, leading to full system compromise. The attacker then escalated privileges by accessing sensitive data and modifying workflows. Utilizing the compromised n8n instance, the attacker moved laterally to other systems within the network. They established command and control channels to maintain persistent access. Sensitive data was exfiltrated from the compromised systems. Finally, the attacker disrupted operations by modifying or destroying automation logic.
Kill Chain Progression
Initial Compromise
Description
An authenticated attacker exploited a vulnerability in n8n's workflow expression evaluation system to execute arbitrary code, leading to full system compromise.
Related CVEs
CVE-2025-68613
CVSS 8.8A critical Remote Code Execution vulnerability in n8n's workflow expression evaluation system allows authenticated users to execute arbitrary code, potentially leading to full system compromise.
Affected Products:
n8n n8n – 0.211.0 to 1.120.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Command and Scripting Interpreter
Exploitation for Client Execution
Exploitation for Privilege Escalation
Exploitation for Defense Evasion
Event Triggered Execution
Data from Local System
Data Manipulation
Stored Data Manipulation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 2.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
CISA's BOD 22-01 mandate requires federal agencies to patch n8n RCE vulnerability by March 25, with immediate risk to sensitive government workflow automation systems.
Financial Services
n8n workflow automation platforms store critical API keys, OAuth tokens, and database credentials, creating high-value targets for remote code execution attacks in financial operations.
Information Technology/IT
Over 40,000 exposed n8n instances globally present massive attack surface for RCE exploitation, particularly affecting AI development workflows and CI/CD pipeline security management.
Health Care / Life Sciences
Healthcare workflow automation through n8n creates HIPAA compliance risks when RCE vulnerabilities compromise patient data processing systems and sensitive healthcare API credentials.
Sources
- CISA orders feds to patch n8n RCE flaw exploited in attackshttps://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-n8n-rce-flaw-exploited-in-attacks/Verified
- n8n Remote Code Execution via Expression Injectionhttps://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cpVerified
- NVD - CVE-2025-68613https://nvd.nist.gov/vuln/detail/CVE-2025-68613Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to execute arbitrary code may have been constrained, reducing the likelihood of full system compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to access sensitive data and modify workflows would likely have been restricted, limiting privilege escalation.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement to other systems would likely have been constrained, reducing the spread of the attack.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels may have been detected and disrupted, reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The exfiltration of sensitive data would likely have been restricted, reducing data loss.
The attacker's ability to disrupt operations by modifying or destroying automation logic would likely have been constrained, reducing operational impact.
Impact at a Glance
Affected Business Functions
- Workflow Automation
- Data Integration
- API Management
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of sensitive data including API keys, database credentials, OAuth tokens, and CI/CD secrets.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access and limit lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts targeting known vulnerabilities.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual activities promptly.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Ensure all systems are regularly updated and patched to mitigate known vulnerabilities.
