Kinetic Potential Blog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting n8n to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability, tracked as CVE-2025-68613 (CVSS score: 9.9), concerns a case of expression injection that leads to remote code execution. The security shortcoming was patched by n8n in December 2025 in versions 1.120.4, 1.121.1, and 1.122.0. CVE-2025-68613 is the first n8n vulnerability to be placed in the KEV catalog.

"N8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution," CISA said.

According to the maintainers of the workflow automation platform, the vulnerability could be weaponized by an authenticated attacker to execute arbitrary code with the privileges of the n8n process.

Microsoft on Tuesday announced patches for 83 vulnerabilities affecting its products.

While none of the bugs have been flagged as exploited, two of them have been publicly disclosed, Microsoft’s advisories reveal.

These include CVE-2026-26127, a denial-of-service (DoS) issue in .NET, and CVE-2026-21262, an elevation of privilege defect in SQL Server.

“These bugs are more bark than bite. The DoS vulnerability is assessed as unlikely to be exploited and requires an attacker to be authorized beforehand, while the privilege escalation bug was deemed less likely to be exploited,” Tenable researcher Satnam Narang points out.

Microsoft’s March 2026 Patch Tuesday updates resolve a single critical-severity flaw, namely CVE-2026-21536 (CVSS score of 9.8), a remote code execution weakness in Devices Pricing Program that has already been fully mitigated by the tech giant.

A new variant of the ClickFix attack evades detection by instructing victims to use Windows Terminal instead of the Run dialog, Microsoft warns.

Like traditional ClickFix attacks, the campaign relies on fake CAPTCHA pages, troubleshooting prompts, and verification lures to trick victims into executing malicious PowerShell commands.

What sets the new campaign apart, however, is the fact that victims are instructed to open Windows Terminal directly, instead of relying on the Windows Run dialog.

“Rather than the traditional Win + R → paste → execute technique, this campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, guiding users into a privileged command execution environment that blends into legitimate administrative workflows and appears more trustworthy to users,” Microsoft says.