{"id":238,"date":"2026-03-12T05:39:13","date_gmt":"2026-03-12T05:39:13","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=238"},"modified":"2026-03-12T05:39:13","modified_gmt":"2026-03-12T05:39:13","slug":"cisa-flags-actively-exploited-n8n-rce-bug-as-24700-instances-remain-exposed","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=238","title":{"rendered":"CISA Flags Actively Exploited n8n RCE Bug as 24,700 Instances Remain Exposed"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Mar 12, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Enterprise Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiqTMEW2jHKU06jv88QZ06xgVQgmBS6BBQ2qOiIrLlhEJvpDCbje7ou_bIPAxP-N9b90TI7pIKZMotOLtO_3Gi4B3JBRRW8QxuqZtVj8WwFdEMhCdqd-XaTcRFRjBEyGeDeNjznGmw2qUWyHAshjwN8J2FOLhqTzwIS9-X6-G0pm5lUeKuxQegcENT4V8Q0\/s1700-e365\/cisa-exploit.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2026\/03\/11\/cisa-adds-one-known-exploited-vulnerability-catalog\" rel=\"noopener\" target=\"_blank\">added<\/a> a critical security flaw impacting n8n to its Known Exploited Vulnerabilities (<a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\" rel=\"noopener\" target=\"_blank\">KEV<\/a>) catalog, based on evidence of active exploitation.<\/p>\n<p>The vulnerability, tracked as <strong><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-68613\" rel=\"noopener\" target=\"_blank\">CVE-2025-68613<\/a><\/strong> (CVSS score: 9.9), concerns a case of expression injection that leads to remote code execution. The security shortcoming was patched by n8n in December 2025 in versions 1.120.4, 1.121.1, and 1.122.0. CVE-2025-68613 is the first n8n vulnerability to be placed in the KEV catalog.<\/p>\n<p>\u00abN8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution,\u00bb CISA said.<\/p>\n<p>According to the maintainers of the workflow automation platform, the vulnerability could be weaponized by an authenticated attacker to execute arbitrary code with the privileges of the n8n process.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Successful exploitation of the flaw could result in a complete compromise of the instance, enabling the attacker to access sensitive data, modify workflows, or execute system-level operations.<\/p>\n<p>There are currently no details on how the vulnerability is being exploited in the wild. Data from the Shadowserver Foundation <a href=\"https:\/\/dashboard.shadowserver.org\/statistics\/combined\/time-series\/?date_range=other_range&amp;d1=2025-12-20&amp;d2=2026-03-10&amp;source=http_vulnerable&amp;source=http_vulnerable6&amp;tag=cve-2025-68613%2B&amp;dataset=unique_ips&amp;limit=100&amp;group_by=geo&amp;stacking=stacked&amp;auto_update=on\" rel=\"noopener\" target=\"_blank\">shows<\/a> that there are more than 24,700 unpatched instances exposed online, with more than 12,300 of them located in North America and 7,800 in Europe as of early February 2026.<\/p>\n<p>The addition of CVE-2025-68613 comes as Pillar Security disclosed two critical flaws in n8n, one of which \u2013 CVE-2026-27577 (CVSS score: 9.4) \u2013 has been classified as \u00abadditional exploits\u00bb discovered in the workflow expression evaluation system following CVE-2025-68613.<\/p>\n<p>Federal Civilian Executive Branch (FCEB) agencies have been ordered to patch their n8n instances by March 25, 2026, as mandated by a Binding Operational Directive (BOD 22-01) issued in November 2021.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Mar 12, 2026Vulnerability \/ Enterprise Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting n8n to its Known Exploited Vulnerabilities (KEV)&hellip;<\/p>\n","protected":false},"author":1,"featured_media":239,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[201,610,62,128,137,542,301,602,316,611],"class_list":["post-238","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-actively","tag-bug","tag-cisa","tag-exploited","tag-exposed","tag-flags","tag-instances","tag-n8n","tag-rce","tag-remain"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/238","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=238"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/238\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/239"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=238"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=238"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=238"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}