Security Check-in Quick Hits: Patching Urgency as n8n Exploits Rage, AppArmor Shattered, and Ransomware Claims 31 More Victims

For March 13, 2026

n8n Under Fire: CISA Adds CVE-2025-68613 to KEV Catalog Amid Active Exploitation

Cybersecurity teams woke up to a fresh CISA alert today: the automation platform n8n is being actively hacked in the wild. The flaw—CVE-2025-68613—is an expression-injection vulnerability in n8n’s workflow engine that lets authenticated attackers run arbitrary code with the same privileges as the n8n process itself. With a crushing CVSS score of 9.9, successful exploitation can hand attackers full control of the instance, access to sensitive data, workflow tampering, and system-level commands.

Patches dropped back in December 2025 (versions 1.120.4, 1.121.1, and 1.122.0), yet more than 24,700 unpatched instances remain publicly exposed—over 12,300 in North America alone. CISA has now formally added the CVE to its Known Exploited Vulnerabilities catalog and ordered federal agencies to remediate by March 25, 2026. Security researchers on X are already sharing scanning scripts and urging immediate upgrades.

Quick action checklist
• Update to the latest patched release right now.
• Lock down workflow-creation permissions to the absolute minimum.
• Scan your perimeter for exposed n8n instances and monitor for anomalous behavior.

If you run n8n anywhere in your environment, treat this as a five-alarm fire—attackers are already knocking.

CrackArmor: Nine AppArmor Flaws Since 2017 Let Any Local User Become Root

Qualys Threat Research Unit dropped a bombshell disclosure: nine critical vulnerabilities in AppArmor (collectively dubbed “CrackArmor”) that have been lurking in Linux kernels since version 4.11 in 2017. The bugs—stemming from a classic confused-deputy problem in how AppArmor handles profile loading via pseudo-files—allow unprivileged local users to escalate to root, break out of containers, or crash critical services with a simple kernel panic.

More than 12.6 million enterprise Linux instances worldwide are exposed, especially on Ubuntu, Debian, SUSE, and derivatives where AppArmor ships enabled by default. Proof-of-concept exploits already demonstrate privilege escalation via sudo/Postfix interactions, full container escapes, and even KASLR bypasses. No CVEs have been assigned yet because upstream kernel fixes are still rolling out, but the impact is severe enough that Qualys is already shipping detection queries (QID 386714).

What to do today
• Apply your Linux vendor patches immediately—check Ubuntu, Debian, and SUSE security advisories.
• Run Qualys scans or equivalent to hunt for vulnerable kernels.
• Monitor /sys/kernel/security/apparmor/ for unauthorized profile changes.

Containers and cloud Linux workloads just became a lot riskier overnight. Patch, or risk root on every box.

Ransomware Blitz: 31 New Victims in 24 Hours—U.S. Takes the Hardest Hit

The daily ransomware drumbeat continues. PurpleOps’ 24-hour snapshot shows 31 fresh victims claimed since yesterday, pushing the 2026 year-to-date total past 2,100. Top groups: NightSpire (5 victims), Akira and APT73 (4 each). The United States absorbed 16 attacks—more than half the total—while the UAE, Argentina, Australia, and Canada also took blows.

Hardest-hit sectors: Professional Services (12), Technology/Software (4), and Construction & Engineering (3). Notable names include the University of Mississippi Medical Center (Medusa) and a UAE government site (APT73). The report highlights the usual RaaS dominance, rising insider threats, and a worrying surge in Android mobile malware families targeting financial apps. APAC attacks are up 59 % year-over-year as digitization accelerates.

Defensive takeaways
• Assume your organization is in the crosshairs—especially if you’re in professional services or tech.
• Tighten backup strategies, enable MFA everywhere, and hunt for insider-risk indicators.
• Watch emerging mobile threats that slip in via fake app stores and phishing.

Ransomware isn’t slowing down; it’s diversifying. The next victim could be yours—stay vigilant and patch the two critical flaws above before the next group adds you to their leak site.

Stay safe out there. Patch fast, monitor relentlessly, and we’ll check in again tomorrow.