CISA ordered federal agencies to patch an actively exploited n8n remote code execution vulnerability (CVE-2025-68613) and added it to its Known Exploited Vulnerabilities catalog with a BOD 22-01 compliance deadline. n8n, widely used for workflow automation and AI data ingestion and often storing API keys and other sensitive credentials, was patched in n8n v1.122.0 but Shadowserver reports over 40,000 exposed unpatched instances online. #n8n #CVE-2025-68613
Keypoints
- CISA ordered FCEB agencies to patch n8n by March 25 after adding CVE-2025-68613 to its KEV catalog.
- The vulnerability permits authenticated remote code execution with the privileges of the n8n process.
- n8n commonly stores API keys, database credentials, OAuth tokens, cloud access credentials, and CI/CD secrets.
- n8n v1.122.0 fixes CVE-2025-68613; administrators unable to upgrade should restrict workflow editing and limit OS/network privileges as mitigation.
- Shadowserver has detected over 40,000 unpatched n8n instances exposed online, with large concentrations in North America and Europe.