John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Two security stories dropped this week that look unrelated. One involves an enterprise workflow platform. The other involves an AI-powered browser. Both involve active exploitation or live attack demos.
The connection isn’t the technology. It’s the model: software trusted to take actions on your behalf, redirected by attackers.
24,700 Exposed n8n Instances
CISA added CVE-2025-68613 to its Known Exploited Vulnerabilities catalog on March 11. Federal agencies have until March 25 to patch. The vulnerability is a remote code execution flaw in n8n, the popular open-source workflow automation platform.
n8n connects services, APIs, and data pipelines. It touches credentials, webhooks, external APIs, internal databases. By design, it has access to a lot of things.
So a remote code execution vulnerability in n8n isn’t just “attacker gets a shell.” It’s attacker gets a shell on the system that has authorized access to your entire automation chain.
Over 24,700 n8n instances are publicly exposed right now. That’s not a targeted attack number. That’s mass-exploitation scale.
And here’s the thing that matters: CISA is now flagging AI automation platforms as known-exploited vulnerabilities. We’re in new territory for federal advisories.
If your n8n instance is internet-facing with weak or no authentication, that’s urgent. Not “add it to the sprint” urgent. Now urgent.
Four Minutes to Credential Theft With an AI Browser
Researchers demonstrated a prompt injection attack against Perplexity’s Comet browser that went from loading a malicious web page to simulated credential theft in under four minutes. Not a theoretical attack. A demonstrated one with a clock running.
The mechanism is indirect prompt injection. A malicious page contains hidden instructions that the AI browser processes as legitimate directives. The browser, trying to be helpful, follows them. And the attacker’s instructions become the browser’s agenda.
This isn’t a bug in the traditional sense. The browser is working as designed. The problem is that “working as designed” means executing instructions found in web content, and a well-crafted page can slip malicious instructions through a channel the browser treats as trusted input.
Brian Krebs put it well: historically, compromising someone’s browser gets you their data. Compromising their AI browser gets you their actions. The scope of what’s at stake expands considerably.
Why This Matters Together
Both n8n and Comet share a structural characteristic: they’re designed to act, not just process. n8n executes workflows. Comet takes browser actions. Both are given trusted agency to do things on your behalf.
That’s exactly what makes them interesting targets. Compromise the automation platform and you don’t need to individually exploit each downstream system. The automation does it for you. Redirect an AI browser’s actions and you don’t need credentials you don’t have. The browser uses the credentials it already has.
This is the attack surface that comes with agentic AI tools. It’s not just that AI makes existing attacks faster. It’s that AI automation creates attacks that didn’t exist before: turning trusted agency against its own users.
Questions your org should be asking right now:
- What systems and credentials does your automation platform have access to?
- Is your n8n instance internet-exposed? Is it patched?
- Do any AI-powered tools in your environment take autonomous actions based on external content?
- What’s your containment plan if one of those tools gets compromised?
The AI agent layer is an attack surface. And it’s being tested.