CVE-2025-68613 - Zerobot Botnet Exploits Critical Flaw
Basically, a botnet is using a serious flaw in n8n software to take control of systems.
Zerobot botnet exploits a critical flaw in the n8n platform, risking remote code execution. Over 71,000 instances are exposed, raising alarms for users. Immediate updates are crucial to prevent exploitation.
The Flaw
CVE-2025-68613 is a critical vulnerability affecting the n8n workflow automation platform. This flaw allows authenticated attackers to execute remote code, potentially compromising the entire server. With a CVSS score of 9.9, it has a low attack complexity and a high impact on confidentiality, availability, and integrity. The vulnerability lies in n8n’s expression evaluation system, which processes user input in a way that can be exploited.
The vulnerability was disclosed by n8n developers on December 19, 2025, and it requires authentication to exploit. However, this barrier is not insurmountable; attackers can obtain credentials through various means, including brute force attacks or exploiting other vulnerabilities. The first active exploitation was identified in January 2026, marking a concerning trend in the vulnerability's lifecycle.
What's at Risk
As of mid-March 2026, there were over 71,000 exposed n8n instances worldwide, significantly widening the attack surface. The Zerobot botnet, which is based on the Mirai architecture, has been observed leveraging this vulnerability to gain unauthorized access. This type of attack can lead to remote code execution (RCE), allowing attackers to run arbitrary commands on the server.
The risk is compounded by the availability of a public Metasploit module, which simplifies the exploitation process. This means even less sophisticated attackers can weaponize the vulnerability, increasing the likelihood of widespread attacks. The potential for lateral movement within compromised networks further escalates the threat.
Patch Status
The n8n team has addressed this vulnerability in their security advisory, urging users to update to the latest versions of the platform. The remediation deadline set by CISA for federal agencies is March 25, 2026. Users are strongly encouraged to apply these updates as soon as possible to mitigate the risk of exploitation.
Monitoring for unusual activity, such as unexpected child process execution from n8n instances, is crucial. Organizations should be vigilant for indicators of compromise, including specific command executions that could signify active exploitation attempts.
Immediate Actions
To protect against the threat posed by CVE-2025-68613, organizations should take the following steps:
- Update n8n to the latest version immediately.
- Monitor for unusual activity on n8n instances, particularly unexpected command executions.
- Implement strong authentication measures to protect against credential theft.
- Consider employing network segmentation to limit the impact of potential breaches.
By taking these proactive measures, organizations can significantly reduce their risk of falling victim to the Zerobot botnet and similar threats. Staying informed about vulnerabilities and applying timely updates is essential in today’s evolving threat landscape.
Intel 471 Blog