๐ฏBasically, a botnet is using a serious flaw in n8n software to take control of systems.
The Flaw
CVE-2025-68613 is a critical vulnerability affecting the n8n workflow automation platform. This flaw allows authenticated attackers to execute remote code, potentially compromising the entire server. With a CVSS score of 9.9, it has a low attack complexity and a high impact on confidentiality, availability, and integrity. The vulnerability lies in n8nโs expression evaluation system, which processes user input in a way that can be exploited.
The vulnerability was disclosed by n8n developers on December 19, 2025, and it requires authentication to exploit. However, this barrier is not insurmountable; attackers can obtain credentials through various means, including brute force attacks or exploiting other vulnerabilities. The first active exploitation was identified in January 2026, marking a concerning trend in the vulnerability's lifecycle.
What's at Risk
As of mid-March 2026, there were over 71,000 exposed n8n instances worldwide, significantly widening the attack surface. The Zerobot botnet, which is based on the Mirai architecture, has been observed leveraging this vulnerability to gain unauthorized access. This type of attack can lead to remote code execution (RCE), allowing attackers to run arbitrary commands on the server.
The risk is compounded by the availability of a public Metasploit module, which simplifies the exploitation process. This means even less sophisticated attackers can weaponize the vulnerability, increasing the likelihood of widespread attacks. The potential for lateral movement within compromised networks further escalates the threat.
Patch Status
The n8n team has addressed this vulnerability in their security advisory, urging users to update to the latest versions of the platform. The remediation deadline set by CISA for federal agencies is March 25, 2026. Users are strongly encouraged to apply these updates as soon as possible to mitigate the risk of exploitation.
Monitoring for unusual activity, such as unexpected child process execution from n8n instances, is crucial. Organizations should be vigilant for indicators of compromise, including specific command executions that could signify active exploitation attempts.
Immediate Actions
To protect against the threat posed by CVE-2025-68613, organizations should take the following steps: By taking these proactive measures, organizations can significantly reduce their risk of falling victim to the Zerobot botnet and similar threats. Staying informed about vulnerabilities and applying timely updates is essential in todayโs evolving threat landscape.
Containment
- 1.Update n8n to the latest version immediately.
- 2.Monitor for unusual activity on n8n instances, particularly unexpected command executions.
Remediation
- 3.Implement strong authentication measures to protect against credential theft.
- 4.Consider employing network segmentation to limit the impact of potential breaches.
๐ Pro insight: The availability of a public exploit for CVE-2025-68613 significantly lowers the barrier for entry for attackers, increasing the urgency for patching.
