CISA Flags Actively Exploited n8n RCE Bug — 24,700 Workflow Automation Instances Remain Exposed
Executive Summary
CISA added a critical n8n expression injection vulnerability (CVE-2025-68613, CVSS 9.9) to the KEV catalog. Over 24,700 n8n instances are internet-accessible, and attackers are exploiting sandbox escapes for remote code execution.
📊 Market Strategic Impact
24,700 internet-exposed n8n instances with CVSS 9.9 RCE. Workflow automation platforms are becoming prime initial access vectors.
CISA Flags n8n RCE: Workflow Automation Under Fire
TL;DR
The Full Story
n8n is a popular open-source workflow automation platform — the "Zapier you can self-host." The vulnerabilities form a particularly dangerous chain: unauthenticated attacker visits a public n8n Form endpoint → triggers expression injection → escapes the sandbox → achieves full RCE on the n8n server.
From there, the attacker has access to all workflow configurations containing API keys, database credentials, OAuth tokens, and connected services.
So What? — Market Impact
For DevOps teams: Update immediately to version 1.122.0+. Place n8n behind a VPN or reverse proxy with authentication.
For the low-code ecosystem: Workflow automation tools store enormous amounts of credentials. A single compromised instance can cascade into dozens of connected services. Expect n8n exploitation in ransomware kill chains.
Sources
Community Sentiment
0 votes · 0 up · 0 down