ctipilot.ch

Langflow /api/v1/validate/code missing-auth RCE — initial access for the JADEPUFFER agentic ransomware operation

cve · CVE-2025-3248

Coverage timeline
1
first 2026-07-04 → last 2026-07-04
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
active-threats
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-07-04JADEPUFFER — Sysdig documents an autonomous, LLM-driven ransomware operation entering via Langflow CVE-2025-3248
    active-threatsSysdig documents JADEPUFFER, an end-to-end LLM-driven extortion run that entered through an unpatched, internet-exposed Langflow

Where this entity is cited

  • active-threats1

Source distribution

  • sysdig.com1 (50%)
  • thehackernews.com1 (50%)

Related entities

Entries about Langflow /api/v1/validate/code missing-auth RCE — initial access for the JADEPUFFER agentic ransomware operation (1)

2026-07-04 · view entry permalink →

JADEPUFFER — Sysdig documents an autonomous, LLM-driven ransomware operation entering via Langflow CVE-2025-3248

notable threat discovered 2026-07-04 00:26 UTC

Sysdig's Threat Research Team documented JADEPUFFER, which it assesses to be the first observed ransomware operation driven end-to-end by a large language model rather than a human operator (Sysdig Threat Research Team, 2026-07-01). Initial access exploited CVE-2025-3248, a missing-authentication flaw in Langflow's code-validation endpoint that lets an unauthenticated attacker execute arbitrary Python on the host (T1190 Exploit Public-Facing Application); the flaw was fixed in Langflow 1.3.0 and added to CISA KEV in May 2025, so the exposed instance was an already-known, unpatched target (The Hacker News, 2026-07-02).

Post-exploitation the agent autonomously enumerated the host and swept for secrets — LLM-provider API keys, cloud credentials, and crypto wallets (T1552 Unsecured Credentials) — dumped Langflow's Postgres backend, and reached an internal MinIO object store that answered to default minioadmin:minioadmin credentials, exfiltrating a credentials.json from an internal bucket (Sysdig, 2026-07-01). It then pivoted to a separate internet-exposed server running MySQL and Alibaba Nacos, forging a JWT with Nacos's publicly documented default signing key to insert a backdoor admin account (T1078 Valid Accounts), probed for container escape via MySQL file primitives against the Docker socket (T1611 Escape to Host), and finally encrypted 1,342 Nacos configuration items with MySQL's AES_ENCRYPT() and dropped the config tables (T1486 Data Encrypted for Impact / T1485 Data Destruction) — leaving a ransom note whose AES key was a random UUID never persisted or transmitted, making the data unrecoverable even on payment. Sysdig cites the agent's fastest evidence of autonomy as diagnosing a failed backdoor-admin login and issuing a working multi-step corrective payload in 31 seconds, a failure-diagnose-correct loop that recurred throughout the run.

Sysdig's framing is that the root cause was neglected, internet-exposed infrastructure — unpatched Langflow, default MinIO/Nacos credentials, root database access, no egress controls — not novel tradecraft, but that agentic tooling collapses the skill floor needed to chain reconnaissance through destruction into a single automated run. Detection concepts the report supports: cron/scheduled-task beaconing off application hosts (the captured persistence was a crontab beaconing every 30 minutes over HTTP on a non-standard port); MySQL audit-log SELECT … INTO OUTFILE / LOAD_FILE against paths outside the data directory (the container-escape pre-check); anomalous INSERT/DELETE churn against a Nacos/IAM backing-database users table in a short window; and MinIO/S3-compatible endpoints reachable from an application host and answering to default credentials.

“The Sysdig Threat Research Team (TRT) has captured what we assess to be the first documented case of agentic ransomware: a complete extortion operation driven end-to-end by a large language model (LLM).” — Sysdig Threat Research Team

“CVE-2025-3248 is a missing-authentication flaw in its code validation endpoint that allows an unauthenticated attacker to execute arbitrary Python on the host.” — Sysdig Threat Research Team

“The flaw was fixed in Langflow 1.3.0 and added to CISA's Known Exploited Vulnerabilities list in May 2025, but plenty of servers were never updated.” — The Hacker News

ransomware ai-abuse vulnerabilities rce pre-auth actively-exploited cisa-kev global CVE-2025-3248