CVE-2025-68613 Microsoft Sentinel · KQL

Detect n8n Improper Control of Dynamically-Managed Code Resources (CVE-2025-68613) in Microsoft Sentinel

Detects exploitation of CVE-2025-68613, a critical vulnerability in n8n workflow automation platform where improper control of dynamically-managed code resources (CWE-913) allows attackers to execute arbitrary code. This vulnerability is actively exploited in the wild (CISA KEV). Attackers can abuse n8n's Code node or expression evaluation engine to break out of intended sandboxing and execute arbitrary system commands on the underlying host.

MITRE ATT&CK

Tactic
Execution Lateral Movement Impact

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let n8n_processes = DeviceProcessEvents
| where FileName in~ ("node", "node.exe") or ProcessCommandLine has "n8n"
| project DeviceId, DeviceName, Timestamp, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName;
let suspicious_children = DeviceProcessEvents
| where InitiatingProcessFileName in~ ("node", "node.exe")
| where FileName in~ ("sh", "bash", "cmd.exe", "powershell.exe", "python", "python3", "wget", "curl", "nc", "ncat", "perl", "ruby")
    or ProcessCommandLine has_any ("chmod", "chown", "/etc/passwd", "/etc/shadow", "base64", "whoami", "id", "net user", "net localgroup", "certutil", "bitsadmin")
| project DeviceId, DeviceName, Timestamp, ProcessId, FileName, ProcessCommandLine, InitiatingProcessId, InitiatingProcessFileName;
let n8n_network = DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("node", "node.exe")
| where RemotePort !in (5678, 443, 80, 8080)
| where RemoteIPType != "Private"
| project DeviceId, DeviceName, Timestamp, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine;
let n8n_file_writes = DeviceFileEvents
| where InitiatingProcessFileName in~ ("node", "node.exe")
| where FolderPath has_any ("/tmp", "/var/tmp", "C:\\Windows\\Temp", "%TEMP%", "/dev/shm")
    or FileName has_any (".sh", ".ps1", ".bat", ".py", ".exe", ".elf")
| project DeviceId, DeviceName, Timestamp, FileName, FolderPath, InitiatingProcessFileName;
suspicious_children
| union (n8n_network | project DeviceId, DeviceName, Timestamp, ProcessId = 0, FileName = InitiatingProcessFileName, ProcessCommandLine = strcat(RemoteIP, ":", tostring(RemotePort)), InitiatingProcessId = 0, InitiatingProcessFileName)
| union (n8n_file_writes | project DeviceId, DeviceName, Timestamp, ProcessId = 0, FileName, ProcessCommandLine = FolderPath, InitiatingProcessId = 0, InitiatingProcessFileName)
| summarize EventCount = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp), Commands = make_set(ProcessCommandLine, 20) by DeviceId, DeviceName, InitiatingProcessFileName
| where EventCount >= 1
| extend AlertTitle = "CVE-2025-68613: Potential n8n Code Execution Exploitation"
| project AlertTitle, DeviceName, DeviceId, FirstSeen, LastSeen, EventCount, Commands
critical severity medium confidence

Detects n8n workflow automation processes spawning suspicious child processes, writing files to temporary directories, or making unexpected outbound network connections indicative of CVE-2025-68613 exploitation.

Data Sources

Microsoft Defender for EndpointMicrosoft Sentinel

Required Tables

DeviceProcessEventsDeviceNetworkEventsDeviceFileEvents

False Positives & Tuning

  • Legitimate n8n workflows that intentionally execute shell commands via the Execute Command node
  • n8n instances used for DevOps automation that spawn child processes as part of normal workflow execution
  • Security scanning tools that probe n8n API endpoints
  • Administrators testing n8n Code node functionality in development environments
  • n8n self-update mechanisms triggering process spawning

Other platforms for CVE-2025-68613

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1n8n Code Node Shell Command Execution

    Expected signal: Sysmon Event ID 1 showing node process spawning sh or bash child process with command arguments containing 'id', 'whoami', 'hostname'

  2. Test 2n8n Expression Evaluator File Write to Temp Directory

    Expected signal: Sysmon Event ID 11 (FileCreate) showing node process creating a .sh file in /tmp, followed by Event ID 1 showing chmod +x execution

  3. Test 3n8n Code Node Reverse Shell Simulation (Netcat)

    Expected signal: Sysmon Event ID 1 showing node.js spawning nc/ncat process with -e flag and IP/port arguments; Sysmon Event ID 3 showing network connection from node process to 127.0.0.1:4444

  4. Test 4n8n Credential Exfiltration Simulation via HTTP

    Expected signal: Sysmon Event ID 1 showing node spawning bash then curl with base64-encoded data arguments; Sysmon Event ID 3 showing network connection from curl to external host on port 9999

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-68613 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0008Lateral MovementTA0040Impact

Related Techniques

T1059Command and Scripting InterpreterT1190Exploit Public-Facing ApplicationT1203Exploitation for Client Execution

Same Tactic: Execution

Popular Detections