Critical n8n RCE Flaw Under Active Attack: CISA Issues Emergency Warning

Automation is the backbone of modern operations, but it often creates the most dangerous attack vectors. This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) sounded the alarm by adding a critical security flaw affecting n8n, a popular workflow automation platform, to its Known Exploited Vulnerabilities (KEV) catalog.

The designation is significant: CISA does not add vulnerabilities to this list unless there is concrete evidence of active exploitation in the wild. With over 24,000 instances currently exposed to the internet, the race is on to patch this vulnerability before threat actors turn your automation scripts into backdoors.

The Vulnerability: CVE-2025-68613

Tracked as CVE-2025-68613, this flaw carries a CVSS score of 9.9 (Critical). It is classified as an Expression Injection vulnerability leading to Remote Code Execution (RCE).

Technical Analysis

n8n allows users to execute expressions within workflows to process data dynamically. The vulnerability stems from insufficient sanitization of user-supplied inputs within these expression evaluations.

In this specific scenario, an attacker can craft a malicious payload that is subsequently interpreted by the underlying JavaScript engine. Because the application executes this code with the privileges of the n8n process, it leads to full RCE.

The Attack Vector:

1. Initial Access: Attackers scan for internet-facing n8n instances (often on default ports or specific paths).
2. Payload Delivery: A malicious request is sent, likely via a webhook trigger or an unauthenticated endpoint that accepts user input.
3. Code Execution: The input is processed by an expression evaluator, executing the attacker's command (e.g., reverse shell, data exfiltration, or malware deployment).

Why This Matters for SOC Teams

While n8n is often used for business process automation (BPA), it is increasingly integrated into DevOps pipelines and security tooling. A compromised n8n instance gives an attacker a foothold within the internal network, often with high privileges, allowing them to move laterally to sensitive data stores or production environments.

Detection and Threat Hunting

Given the active exploitation status, Security Operations Centers (SOCs) must assume that scans and probes are already occurring. Use the following queries and scripts to identify vulnerable versions or signs of compromise.

1. Identify Exposed or Vulnerable Instances (Bash)

If you are managing n8n via Docker or standard Linux environments, use this snippet to check the running version against the patched release (n8n versions prior to the latest patch are vulnerable).

#!/bin/bash
# Check for running n8n containers and inspect version

CONTAINERS=$(docker ps --filter "ancestor=n8nio/n8n" --format "{{.ID}}")

if [ -z "$CONTAINERS" ]; then
    echo "No n8n containers currently running via Docker."
else
    echo "Checking n8n container versions..."
    for ID in $CONTAINERS; do
        echo "Container ID: $ID"
        docker exec $ID n8n version
        # Compare output against patched version (Check n8n security advisory for specific fixed version)
    done
fi

2. Hunt for Suspicious Process Spawning (KQL)

The exploitation of this vulnerability typically results in the n8n process spawning unexpected shells (bash, sh, zsh) or scripting tools (python, perl, node). Use this KQL query in Microsoft Sentinel to hunt for anomalous child processes.

DeviceProcessEvents
| where InitiatingProcessFileName has "node" 
| where InitiatingProcessCommandLine contains "n8n"
| where Timestamp > ago(7d)
| project Timestamp, DeviceName, AccountName, 
          InitiatingProcessCommandLine, 
          ProcessCommandLine, 
          ProcessFileName, 
          FolderPath
| where ProcessFileName in~ ("bash", "sh", "zsh", "powershell", "pwsh", "python", "python3", "perl", "curl", "wget", "nc")
| order by Timestamp desc

3. Web Request Anomaly Detection (Python)

If you have exported access logs from your web server or reverse proxy (e.g., Nginx) sitting in front of n8n, you can scan for suspicious payload patterns often associated with code injection attempts.

import re

def scan_logs_for_injection(log_file_path):
    # Regex pattern looking for common expression injection syntax
    # or suspicious characters in URL parameters
    injection_pattern = re.compile(
        r'(\%7B|\{).*?\$.*?(\%7D|\})|(\%7C|\|).*?\%7C|expression.*?=',
        re.IGNORECASE
    )

    try:
        with open(log_file_path, 'r') as file:
            for line in file:
                if injection_pattern.search(line):
                    print(f"[ALERT] Potential injection found: {line.strip()}")
    except FileNotFoundError:
        print(f"File {log_file_path} not found.")

# Usage: scan_logs_for_injection('/var/log/nginx/access.log')

Mitigation Strategies

1. Patch Immediately: The primary mitigation is to upgrade n8n to the latest version immediately. The vendor has released a patch that addresses the expression injection flaw. Do not wait for a standard maintenance window.

2. Restrict Network Exposure: If n8n does not need to be publicly accessible, place it behind a VPN or restrict access via IP whitelisting on your firewall. Ensure that the management interface is not exposed to the open internet.

3. Review Webhook Security: Audit all active webhooks. Ensure that unauthenticated webhooks are not directly processing user input into expression nodes without strict validation.

4. Implement Principle of Least Privilege: Run the n8n application using a non-root user with the minimum necessary file system and network permissions.

Conclusion

The addition of CVE-2025-68613 to the CISA KEV catalog is a clear signal that the window for "patch management" has closed and "incident response" has begun. With thousands of instances exposed, the automation tools driving your efficiency must not become the engine of your compromise.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub