12/17/2025-12/24/2025 Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution, New UEFI Flaw Enables Early-Boot DMA Attacks And More

1. Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across Thousands of Instances

A critical security vulnerability has been disclosed in the n8n workflow automation platform that could allow arbitrary code execution under certain conditions. The flaw, tracked as CVE-2025-68613, has a CVSS score of 9.9  It has approximately 57,000 weekly downloads on npm. According to the maintainers, expressions provided by authenticated users during workflow configuration may be evaluated in an execution context that is not properly isolated from the underlying runtime. An authenticated attacker could exploit this behavior to execute arbitrary code with the privileges of the n8n process, potentially leading to full system compromise, including data theft, workflow manipulation, and system-level operations. The vulnerability affects all versions from 0.211.0 up to but not including 1.120.4 and has been patched in 1.120.4, 1.121.1, and 1.122.0. Users are strongly urged to update immediately or restrict workflow permissions and harden deployments if patching is delayed.

2. U.S. CISA Adds a Flaw in WatchGuard Fireware OS to its Known Exploited Vulnerabilities Catalog

CISA has added a critical WatchGuard Firebox OS vulnerability, CVE-2025-14733 (CVSS 9.3), to its KEV catalog after active exploitation was confirmed. The flaw is an out-of-bounds write issue in WatchGuard Fireware OS that can be exploited remotely and without authentication via exposed IKEv2 VPN services. When Mobile User VPN or Branch Office VPN with IKEv2 is configured using a dynamic gateway peer, specially crafted network traffic can trigger improper memory handling, allowing attackers to execute arbitrary code on affected Firebox devices. The vulnerability impacts multiple Fireware OS branches, including 11.10.2–11.12.4_Update1, 12.0–12.11.5, and 2025.1–2025.1.3, putting VPN gateways at risk of full compromise.   WatchGuard has released patches, Indicators of Attack, and mitigation guidance. CISA has ordered federal agencies to remediate the flaw by December 26, 2025. Organizations are strongly urged to apply updates immediately, rotate secrets after patching, and restrict exposure if fixes cannot be deployed at once.

3. New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

Certain motherboard models from ASRock, ASUS, GIGABYTE, and MSI are affected by a firmware vulnerability that exposes systems to early-boot DMA attacks despite UEFI and IOMMU protections being enabled. Discovered by Nick Peterson and Mohamed Al-Sharifi of Riot Games, the flaw stems from firmware incorrectly reporting that DMA protection is active while failing to initialize the IOMMU during early boot.

This gap allows a malicious PCIe DMA-capable device with physical access to read or modify system memory before the operating system and its security controls load, potentially enabling pre-boot code injection and undermining system integrity. CERT/CC warns attackers could access sensitive data or alter the system’s initial state.

The issue affects multiple Intel and AMD chipset families and is tracked under CVE-2025-14304, CVE-2025-11901, CVE-2025-14302, and CVE-2025-14303, each with a CVSS score of 7.0. Vendors are releasing firmware updates to fix IOMMU initialization. Users are strongly advised to apply patches promptly, especially in environments where physical access cannot be fully controlled.

4. Exploited SonicWall Zero-Day Patched (CVE-2025-40602)

SonicWall has released a hotfix for a local privilege escalation vulnerability, CVE-2025-40602, affecting Secure Mobile Access (SMA) 1000 appliances and warned that the flaw has been exploited in the wild. The vulnerability was reportedly chained with CVE-2025-23006 to achieve unauthenticated remote code execution with root privileges. CVE-2025-23006, patched in January 2025, is a deserialization of untrusted data flaw in the Appliance and Central Management Consoles that allows unauthenticated attackers to execute OS commands. The newly disclosed CVE-2025-40602 also impacts the Appliance Management Console and, due to missing authorization checks, enables attackers with local access to escalate privileges to root when chained with the earlier bug.

SonicWall credited researchers from Google’s Threat Intelligence Group for reporting the issue, though no indicators of compromise have been shared. Customers are urged to upgrade to 12.4.3-03245 or 12.5.0-02283 and restrict management interface access. Even if earlier patches are applied, deploying the latest updates remains essential to fully mitigate the risk.