Your workflow automation is now an active execution engine for attackers. ⚙️
CVE-2025-68613 · Severity 9.9 · Critical Remote Code Execution in n8n.
The @[CISA](urn:li:organization:13010360) has added a critical expression injection flaw in n8n to its Known Exploited Vulnerabilities catalog today. This vulnerability allows an unauthenticated attacker to execute arbitrary system-level commands by exploiting the workflow expression evaluation system.
Current estimates show that over 24,000 n8n instances remain exposed on the internet without the necessary patches. Attackers are leveraging this to modify workflows, exfiltrate sensitive data from connected apps like Slack and Gmail, and gain full control over the underlying server environment.
The uncomfortable truth: Your automation platform has deeper access to your corporate data than almost any other tool, making it the highest-value target for initial entry.
→ Update n8n to version 1.120.4, 1.121.1, or 1.122.0 immediately.
→ Strictly isolate n8n instances from the public internet using a secure VPN or Zero Trust gateway.
→ Audit your workflow logs for any unauthorized modifications or anomalous outbound API requests.
Have you confirmed that your automation platform is not part of the 24,000 unpatched instances exposed online? 👇
#Cybersecurity #AppSec #Automation #ZeroTrust #CISO #CodeDefence