Critical n8n Zero-Day Exploit Forces CISA to Add to KEV Catalog Amid 24,700 Active Exposures

Executive Take: The addition of CVE-2025-68613 to CISA’s KEV catalog signals a severe escalation in the threat landscape. With 24,700 instances still exposed and a CVSS score of 9.9, this RCE vulnerability represents an immediate operational risk to critical infrastructure. Organizations using n8n must act now or face potential compromise.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has formally added a critical vulnerability in the popular workflow automation tool n8n to its Known Exploited Vulnerabilities (KEV) catalog. The move comes after confirmed reports of active exploitation in the wild.

The flaw, designated CVE-2025-68613, carries a near-perfect CVSS severity rating of 9.9. It stems from an expression injection vulnerability that enables remote code execution—allowing attackers to run arbitrary commands on affected systems. The security team at n8n issued a patch, but the window for exploitation remains dangerously wide.

According to recent scans, approximately 24,700 instances of n8n remain publicly exposed online. This massive attack surface, combined with the vulnerability’s critical severity and active exploitation, creates a perfect storm for threat actors. The KEV catalog addition serves as both a warning and a directive: patch immediately or risk compromise.

Critical infrastructure operators, DevOps teams, and security professionals should prioritize this update. The consequences of inaction could be severe, ranging from data exfiltration to full system takeover.