The Akamai Security Intelligence and Response Team (SIRT) has identified active exploitation of critical vulnerabilities targeting the n8n workflow automation platform and Tenda AC1206 routers. This marks the first reported active exploitation of these vulnerabilities since their initial disclosure.
Executive Summary
A Mirai-based botnet campaign dubbed Zerobot is actively exploiting CVE-2025-7544 (Tenda AC1206 buffer overflow) and CVE-2025-68613 (n8n workflow platform RCE). The campaign was first observed in January 2026 using Akamai’s global honeypot network.
Why n8n Targeting Is Significant
The targeting of n8n represents a notable departure from typical IoT device exploitation. Unlike security cameras, DVRs, and routers that botnets traditionally target, n8n is an enterprise workflow automation platform used by organizations to:
- Integrate databases with cloud services
- Automate data processing pipelines
- Manage sensitive data flows
- Connect internal systems and platforms
Compromising n8n instances could enable lateral movement within an organization’s critical infrastructure, making this campaign particularly dangerous for enterprises.
Vulnerability Details
CVE-2025-68613 (n8n RCE)
This critical vulnerability affects n8n versions 0.211.0 through 1.20.4, and versions 1.21.1 and 1.22.0. The flaw exists in the workflow expression evaluation system, where user-written expressions are not evaluated with proper sandboxing. Attackers can break out of the intended execution context to:
- Execute arbitrary code on the server
- Read and write files on the server
- Steal environment variables (API keys, credentials)
- Establish persistence
The vulnerability requires only user login (no admin privileges needed) and can access all data that n8n has access to.
CVE-2025-7544 (Tenda AC1206)
A remote stack-based buffer overflow affecting the /goform/setMacFilterCfg endpoint in Tenda AC1206 routers (version 15.03.06.23). The deviceList parameter is passed to strcpy() without length validation, enabling remote code execution or denial-of-service attacks.
Zerobot Malware Analysis
The campaign delivers a shell script (tol.sh) that fetches the main Mirai-based malware payload named zerobotv9. Key characteristics include:
- Multi-architecture support: x86, x86_64, MIPS, ARM (multiple versions), PPC, SPC, M68K, SH4, ARC
- C2 domain: 0bot.qzz[.]io
- XOR key: 0xDEADBEEF (classic Mirai indicator)
- Attack methods: TCPXmas, Mixamp, SSH, and a method named Discord
- Console string: bruh why again
Attack Chain
The exploitation follows this pattern:
- Trigger buffer overflow (CVE-2025-7544) or workflow expression injection (CVE-2025-68613)
- Download
tol.shshell script from attacker infrastructure - Execute script to fetch architecture-appropriate zerobotv9 binary
- Establish C2 communication with 0bot.qzz[.]io
- Join botnet for DDoS attacks or further exploitation
Indicators of Compromise
Malicious IPs
103.59.160.237
140.233.190.96
144.172.100.228
172.86.123.179
216.126.227.101Malicious Domains
0bot.qzz[.]io
andro.notemacro[.]com
pivot.notemacro[.]comSHA256 Hashes
c8e8b627398ece071a3a148d6f38e46763dc534f9bfd967ebc8ac3479540111f
360467c3b733513c922b90d0e222067509df6481636926fa1786d0273169f4da
cc1efbca0da739b7784d833e56a22063ec4719cd095b16e3e10f77efd4277e24
045a1e42cb64e4aa91601f65a80ec5bd040ea4024c6d3b051cb1a6aa15d03b57
d024039824db6fe535ddd51bc81099c946871e4e280c48ed6e90dada79ccfcc7
deb70af83a9b3bb8f9424b709c3f6342d0c63aa10e7f8df43dd7a457bda8f060Recommendations
- Patch immediately: Update n8n to version 1.22.1 or later
- Replace vulnerable hardware: Consider replacing Tenda AC1206 routers or apply firmware updates if available
- Monitor for IoCs: Block the listed IP addresses and domains at your perimeter
- Audit automation platforms: Review what sensitive data and systems your n8n instances can access
- Network segmentation: Isolate automation platforms from critical infrastructure where possible
Conclusion
The proliferation of Mirai variants continues despite law enforcement takedowns, as the barrier to entry remains low. Threat actors are increasingly targeting enterprise automation tools rather than just IoT devices, presenting greater risk to organizational infrastructure. The rapid weaponization of recently disclosed CVEs underscores the importance of timely patching and comprehensive vulnerability management.
Source: Akamai SIRT
