Senior Customer Success Manager

CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform. Mar 24, 2026 Introduction. Zerobot, a Mirai-based botnet known for targeting Internet of Things (IoT) devices, has leveraged a critical vulnerability tracked as CVE-2025-68613, to compromise instances of the n8n workflow automation platform. Successful exploitation requires authentication and could result in remote code execution (RCE) with the privileges of the impacted n8n instance. The vulnerability has a high Common Vulnerability Scoring System version 3.1 (CVSSv3.1) score of 9.9 due to low attack complexity, remote exploitation possibility and a high impact on confidentiality, availability and integrity. Its Vulnerability Intelligence researchers have observed a publicly available Metasploit module for CVE-2025-68613 and note that the vulnerability has been weaponized and productized. Intel 471 Inc. provide recommendations and mitigations below. Overview. On Dec. 19, 2025, n8n developers published a security advisory addressing a critical improper control of dynamically managed code resources vulnerability tracked as CVE-2025-68613. Successful exploitation of the vulnerability requires authentication against the n8n instance and could result in RCE. Active exploitation was first identified in mid-January 2026 when Akamai's security intelligence and response team observed the Zerobot botnet leveraging the vulnerability, marking the first publicly reported exploitation of the vulnerability since its disclosure. On March 11, 2026, CISA added CVE-2025-68613 to its KEV catalog, setting a remediation due date of March 25, 2026, for federal agencies. Its Vulnerability Intelligence team observed 71,537 exposed n8n instances worldwide as of March 16, 2026, with the following Shodan query: Figure 1: The image depicts discovered exposed instances of n8n on the Shodan internet scanning platform as of March 16, 2026. Technical analysis. N8n is a workflow automation software built on Node.js and uses JavaScript for platform internals and workflow logic. The vulnerability exists in n8n's expression evaluation system, which lets users write dynamic expressions to process dynamic data inside n8n workflows. For example, if the specific workflow needs to send a personalized mail to a user, the following JavaScript expression may be used. Due to the nature of this feature, the n8n expression evaluation system processes data given by an authenticated user. These kinds of features are attractive for attackers and vulnerability researchers alike due to their handling of user input in a code execution context. An expression injection here is possible in vulnerable instances that enables authenticated attackers to execute arbitrary commands. The vulnerability exists because n8n versions 0.211.0 through 1.120.3 do not properly sandbox the expression evaluation system. This allows attackers to break out the intended execution context and run arbitrary code on the underlying server with the privileges of the n8n process. The following is an example payload that can be used to exploit this vulnerability: The payload wraps the exploit chain inside an anonymous function to encapsulate the logic within a single expression. It first accesses "this" to reach the Node.js global context, then traverses to process.mainModule to access the root module of the application, which should not be unreachable from within the sandbox. From here, "require('child_process')" loads Node.js' module to spawn a child process inside the underlying operation system to execute the "id" command. This results in a potential attacker obtaining access to the underlying operating system and potentially gaining further privileges through lateral movement techniques. Intel 471 tested and confirmed the payload successfully running arbitrary commands on a vulnerable n8n instance. The following screenshot showcases the successful execution of the "id" command inside the n8n platform: Figure 2: The image depicts the successful execution of the "id" command inside the n8n platform on March 18, 2026. Notable underground activity. CVE-2025-68613 garnered significant attention in the underground, including from bot actors who often highlight notable vulnerabilities. Intel 471 Inc. has observed multiple threat actors, including a possible ransomware operator, share links to an exploit from open source reporting. Assessment. Intel 471 Inc. observed broad awareness of CVE-2025-68613 from potential attackers and exploitation in the wild was confirmed. While successful exploitation requires authentication, which serves as a limiting factor, this barrier is not substantial as credentials may be obtained through open registration, brute forcing, credential stuffing or exploiting the vulnerability in conjunction with the CVE-2026-21858 aka ni8mare vulnerability to achieve initial access. This is further compounded by the high number of internet-exposed n8n instances, significantly widening the attack surface. The availability of a public Metasploit module also lowers the technical barrier for exploitation, enabling less sophisticated threat actors to weaponize the vulnerability with minimal effort. These factors, combined with a CVSSv3.1 score of 9.9, suggest a medium likelihood of continued exploitation. Mitigations, recommendations. The Vulnerability Intelligence team proactively tracks the threat life cycles of vulnerabilities and exploit activity observed in the cyber underground, helping illuminate vulnerabilities at a greater risk of exploitation. Timely alerts help teams immediately see changes in a vulnerability's threat level, enabling decisive and prioritized remediation based on real and active threats. The vulnerability was addressed in an n8n security advisory with updated versions. Intel 471 recommends monitoring for unexpected child process spawns originating from the n8n process, particularly those executing system commands such as "id" and "whoami" or executables that can act as payload downloaders such as wget and curl, as these are indicative of active exploitation attempts. Verity471 customers can access an available Sigma rule and Nuclei template. Indicators of compromise. | Indicator Type | Indicator Value | | IP address | 103.59.160.237 | | IP address | 140.233.190.96 | | IP address | 144.172.100.228 | | IP address | 172.86.123.179 | | IP address | 216.126.227.101 | | Domain | 0bot.qzz.io | | Domain | andro.notemacro.com/inihiddenngentod/zerobotv9 | | Domain | pivot.notemacro.com/inihiddenngentod/zerobotv9 | | SHA-256 | c8e8b627398ece071a3a148d6f38e46763dc534f9bfd967ebc8ac3479540111f | | SHA-256 | 360467c3b733513c922b90d0e222067509df6481636926fa1786d0273169f4da | | SHA-256 | cc1efbca0da739b7784d833e56a22063ec4719cd095b16e3e10f77efd4277e24 | | SHA-256 | 045a1e42cb64e4aa91601f65a80ec5bd040ea4024c6d3b051cb1a6aa15d03b57 | | SHA-256 | d024039824db6fe535ddd51bc81099c946871e4e280c48ed6e90dada79ccfcc7 | | SHA-256 | deb70af83a9b3bb8f9424b709c3f6342d0c63aa10e7f8df43dd7a457bda8f060 | | SHA-256 | 6e4e797262c80b9117aded5d25ff2752cd83abe631096b66e120cc3599a82e4e | | SHA-256 | 2fdb2a092f71e4eba2a114364dc8044a7aa7f78b32658735c5375bf1e4e8ece3 | | SHA-256 | 263a363e2483bf9fd9f915527f5b5255daa42bbfa1e606403169575d6555a58c | | SHA-256 | d7112dd3220ccb0b3e757b006acf9b92af466a285bbb0674258bcc9ad463f616 |

Gamma launches AI image-generation tools to challenge Canva and Adobe. Gamma, the AI-powered platform for creating presentations and websites, is expanding its capabilities with a brand-new image-generation tool aimed at marketing and visual content creation. The move positions Gamma as a stronger competitor to design giants like Canva and Adobe. Introducing Gamma Imagine. The new product, called Gamma Imagine, allows users to generate marketing assets directly from text prompts. This includes: Gamma already offers over 100 templates to help users quickly build professional-looking assets. The addition of AI-powered generation makes it easier than ever to create on-brand designs without needing advanced graphic design skills. AI-Powered and data-driven. To fuel its new image-generation capabilities, Gamma is integrating with a wide range of tools and AI models, including ChatGPT, Claude, Make, Zapier, Atlassian, n8n, and Superhuman Go. This allows users to pull in data, automate workflows, and create dynamic visuals seamlessly. Bridging the gap between professionals and knowledge workers. "As we started working with early users, we realized that in the presentations they want to create, there was a variety of graphical design use cases," said Grant Lee, Gamma's CEO and co-founder. "We developed a new set of tools that goes far beyond traditional presentation formats." Lee explains that Gamma occupies a unique space between professional design software like Adobe or Figma and legacy tools such as Microsoft PowerPoint. "We want to serve knowledge workers and business professionals who need to communicate visually but don't have access to design resources," Lee said. "Our AI-native approach is built specifically for this underserved middle." Growth and funding. Gamma has seen rapid growth. In November 2025, the company raised $68 million in a Series B round led by a16z, bringing its valuation to $2.1 billion. At the time, Gamma reported $100 million ARR and 70 million users. The company now says it's approaching 100 million users, signaling strong adoption of its platform. FAQs. 1. What is Gamma Imagine? Gamma Imagine is a new AI-powered image-generation tool that creates marketing assets, infographics, social graphics, and interactive visuals from text prompts. 2. How does Gamma Imagine work? Users provide a text prompt, and the AI generates visuals using templates and integrations with tools like ChatGPT, Claude, Make, and Zapier. 3. Who is Gamma Imagine for? It's designed for knowledge workers, business professionals, and teams who need visual content but don't have professional design skills or resources. 4. How does Gamma compare to Canva and Adobe? Gamma sits between high-end tools like Adobe/Figma and legacy software like PowerPoint, offering an AI-native, accessible solution for creating visuals quickly. 5. How popular is Gamma? Gamma has nearly 100 million users, with a reported $100M ARR, and recently raised $68M in Series B funding at a $2.1B valuation. Sharing is caring!