Skip to content
.ca
sign in
3 minhigh

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added CVE-2025-68613, an Improper Control of Dynamically-Managed Code Resources vulnerability in n8n, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize remediation to reduce exposure to cyberattacks.

Sens:ImmediateConf:highAnalyzed:2026-03-11reports

Authors: CISA

n8nVulnerabilityCVE-2025-68613CISAKEV

Source:CISA

Key Takeaways

  • CISA has added CVE-2025-68613 to the Known Exploited Vulnerabilities (KEV) Catalog.
  • The vulnerability affects n8n and involves Improper Control of Dynamically-Managed Code Resources.
  • There is confirmed evidence of active exploitation in the wild.
  • Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate this vulnerability per BOD 22-01.
  • All organizations are strongly urged to prioritize patching this vulnerability to reduce cyberattack exposure.

Affected Systems

  • n8n

Vulnerabilities (CVEs)

  • CVE-2025-68613

Attack Chain

Threat actors are actively exploiting CVE-2025-68613, an improper control of dynamically-managed code resources vulnerability in n8n. Specific attack chain details, payloads, and post-exploitation activities are not detailed in the CISA alert.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

N/A

Detection Engineering Assessment

EDR Visibility: Low — The alert does not provide specific post-exploitation TTPs, processes, or payloads that EDR could detect. Network Visibility: Low — No network indicators or exploit signatures are provided in the alert. Detection Difficulty: Hard — Without specific exploit payloads or IOCs, detecting the exploitation of this specific CVE relies on generic anomaly detection or vendor-supplied patches.

Required Log Sources

  • Application Logs
  • Web Server Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unusual child processes spawned by the n8n application service, which may indicate successful exploitation of dynamically-managed code resources.Process Creation (Event ID 4688 / Sysmon Event ID 1)ExecutionMedium

Control Gaps

  • Lack of specific IOCs for proactive blocking
  • Unpatched n8n instances

Key Behavioral Indicators

  • Anomalous code execution originating from n8n application contexts

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Identify all instances of n8n within the environment.
  • Apply the latest security patches or updates provided by the vendor for CVE-2025-68613.

Infrastructure Hardening

  • Restrict access to n8n instances to trusted IP addresses or internal networks where possible.
  • Implement Web Application Firewalls (WAF) to monitor and filter anomalous traffic to n8n interfaces.

User Protection

  • N/A

Security Awareness

  • Ensure vulnerability management teams are tracking CISA KEV additions and prioritizing them according to BOD 22-01 guidelines.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application

Related