Agentic AI Exploited in Ransomware Attack via Langflow
Agentic AI Used to Conduct Ransomware Attack via Langflow
Agentic AI Used to Conduct Ransomware Attack via Langflow A malicious actor exploited a vulnerability in Langflow to compromise an organization’s instance and utilize it in an agentic ransomware operation, according to a report from cloud security firm Sysdig.
Vulnerability Details
CVE-2025-3248
Langflow, an open-source Python-based framework designed for constructing LLM-driven applications and agent workflows, was targeted through a critical authentication flaw. The threat group, identified as JadePuffer, accessed an internet-facing Langflow instance by leveraging CVE-2025-3248, a high-severity vulnerability with a CVSS score of 9.8. This flaw, disclosed in April, allows attackers to execute arbitrary Python code on the host system running Langflow. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged the vulnerability as actively exploited in early May.
Attack Phases
Reconnaissance and Data Extraction
Once inside the system, JadePuffer utilized the LLM for reconnaissance, scanning for sensitive data such as API keys, cloud credentials, cryptocurrency wallets, configuration files, and database credentials. The attackers extracted data from Langflow’s Postgres database, mapped internal network addresses, identified MinIO endpoints for credential harvesting, and established persistent access via a cron job. During this phase, the LLM dynamically adjusted its operations to extract credentials from diverse file formats and log into discovered systems.
Lateral Movement to Production Server
In the second stage, the threat actor leveraged the LLM to move laterally to a production server hosting a MySQL database and an Alibaba Nacos configuration platform. Nacos, a component widely used in Alibaba’s microservices architecture, has previously been targeted through security bypasses and relies on a default JWT signing key that facilitates token forgery. JadePuffer accessed the server using a payload containing MySQL root credentials and used the LLM to attack the Nacos service through multiple vectors.
Nacos Attack Details
CVE-2021-29441 and JWT Forging
This included exploiting the auth-bypass vulnerability CVE-2021-29441, forging a JWT with the default key, and injecting a backdoor administrator into the Nacos database. The LLM modified its payloads to bypass authentication, checked for User Defined Functions (UDF) capable of executing operating system commands, and issued completion markers before deploying ransomware.
Ransomware Deployment
The attack encrypted 1,342 Nacos configuration items and created an extortion table containing ransom demands, payment instructions, and contact details. The encryption key, randomly generated and not stored or transmitted, ensured data remained inaccessible without decryption.
Sysdig’s Analysis
Sysdig’s analysis revealed that the LLM’s payloads included natural-language explanations of each action, demonstrating its ability to adapt to failures and provide accurate diagnostics. The firm noted that the LLM’s behavior, such as parsing free-text context and making context-aware decisions, indicated a level of autonomy beyond traditional automated tools.
Conclusion and Recommendations
This attack highlights how agentic AI reduces the complexity of malicious operations, enabling adversaries to execute sophisticated campaigns with minimal human intervention. Sysdig emphasized that exposed application servers, unsecured configuration stores, and internet-facing database accounts are prime targets for future attacks. The report underscores the growing threat of AI-driven campaigns as tooling matures, urging organizations to prioritize hardening infrastructure and monitoring for anomalous activity.
