Automation platform used in AI workflows becomes a major target after attackers begin exploiting a critical remote code execution flaw.
CISA Issues Urgent Security Directive
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations about a critical vulnerability in the n8n automation platform. The agency confirmed that attackers are actively exploiting the flaw in the wild.
As a result, CISA ordered federal agencies to patch affected systems immediately.
The vulnerability is tracked as CVE-2025-68613. It allows attackers with authentication access to execute arbitrary code on vulnerable servers.
If attackers exploit the flaw successfully, they can take control of the system running n8n.
Why n8n Is an Attractive Target
n8n is a widely used open-source workflow automation platform. Developers use it to automate data ingestion, integrate services, and build AI-driven workflows.
The platform has become extremely popular. It records over 50,000 weekly downloads on npm and more than 100 million Docker pulls.
However, automation tools like n8n often store sensitive information. These systems may contain:
- API keys
- Database credentials
- OAuth tokens
- Cloud storage access keys
- CI/CD secrets
Because of this, attackers view n8n servers as high-value targets.
How the Vulnerability Works
The flaw exists in the workflow expression evaluation system inside n8n.
Improper handling of dynamically managed code allows attackers to inject malicious commands. Once executed, those commands run with the same privileges as the n8n process.
Attackers who exploit the vulnerability can:
- Access sensitive data
- Modify automated workflows
- Execute system-level commands
- Install additional malware
In severe cases, the entire automation environment may become compromised.
Patch Already Released
The n8n development team fixed the issue in version 1.122.0, released in December.
Administrators should upgrade to the latest version immediately.
If upgrading is not possible right away, security teams should apply temporary protections:
- Limit workflow creation and editing permissions
- Allow only trusted users to manage workflows
- Restrict operating system privileges
- Reduce network access where possible
These steps can reduce the impact of potential attacks.
Thousands of Systems Still Exposed
Despite the available patch, many systems remain vulnerable.
Security monitoring group Shadowserver reports more than 40,000 exposed n8n instances online.
The largest number of vulnerable systems appear in:
- North America
- Europe
These exposed servers increase the risk of large-scale exploitation.
Added to CISA’s Known Exploited Vulnerabilities List
CISA has now added CVE-2025-68613 to its Known Exploited Vulnerabilities (KEV) catalog.
The agency ordered Federal Civilian Executive Branch (FCEB) agencies to secure their systems by March 25 under Binding Operational Directive 22-01.
Although this directive targets U.S. federal agencies, the warning applies globally.
Why This Matters for Organizations
Automation platforms often sit at the center of modern IT infrastructure. They connect multiple services, cloud systems, and development pipelines.
As a result, attackers who compromise these platforms may gain access to many connected systems.
Organizations should treat workflow automation tools as critical infrastructure components. Strong access controls, regular patching, and security monitoring are essential.
As automation continues to expand across AI and DevOps environments, securing these platforms will become even more important.