Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

A critical remote code execution (RCE) vulnerability has been disclosed in n8n, a popular open-source workflow automation platform widely used to orchestrate business processes, SaaS integrations, and internal automation pipelines. Tracked as CVE-2025-68613, the vulnerability carries a CVSS score of 9.9 (Critical) and allows authenticated attackers to execute arbitrary system-level code on vulnerable n8n instances.

A critical code injection vulnerability has been identified in Apache Commons Text, a widely used Java library for text processing and interpolation. Tracked as CVE-2025-46295, the vulnerability carries a CVSS v3 score of 9.8 (Critical) and affects all versions of the library prior to 1.10.0. The vulnerability has an EPSS score of 0.253%, indicating a low short-term probability of exploitation.

In 2025, security benchmarks showed that over half of publicly disclosed vulnerabilities can bypass WAF protections when rule updates lag behind real-world exploits. Legacy WAFs were built for stable applications and predictable traffic. Today, frequent releases, API-driven architectures, and rapidly evolving attacks expose the limits of manual tuning and after-the-fact validation, leaving protection out of sync with reality.

According to the Indusface State of Application Security Report, SMBs now experience more attacks per application than large enterprises. Each SMB site facing an average of 2.24 million attacks per quarter, driven largely by malicious bot traffic and automated DDoS attempts. Despite this, many SMBs still operate with minimal security controls or legacy technology stacks, making them extremely vulnerable.

The digital storefront never sleeps, but in the first half of 2025, it has faced unprecedented hostility. According to the State of Application Security report 2025 Report, the threat landscape has shifted dramatically. E-commerce has become a primary target, with DDoS incidents in the retail and e-commerce sector spiking by 420%. Perhaps even more concerning is the vector of these attacks: attacks on APIs rose by 104%, with vulnerability exploitation increasing 13-fold.

A newly disclosed denial-of-service vulnerability, CVE-2025-66675, affects a wide range of Apache Struts 2 versions and poses a serious availability risk for applications that handle file uploads. While the EPSS score is 0.05%, indicating a low probability of exploitation in the next 30 days, the vulnerability still represents a high availability risk for exposed and unpatched environments.

With the rise of CI/CD pipelines, cloud-native development, and globally distributed teams, sensitive credentials like API keys, tokens, and database passwords often slip into source code. Sometimes accidentally, sometimes under pressure to deploy fast. This is not a rare mishap. A recent study found that 34% of API security incidents involve sensitive data exposure. And according to Cyble, over 1.5 million.env files containing secrets have been discovered in publicly accessible environments.