Agentic AI Powers Ransomware Attack Exploiting Critical Langflow Vulnerability

Published:

spot_img

Agentic AI Powers Ransomware Attack Exploiting Critical Langflow Vulnerability

A recent incident has highlighted the growing sophistication of cyber threats, as a threat actor exploited a vulnerability in Langflow, a Python-based, LLM-agnostic open-source framework, to conduct an agentic ransomware attack. The attack, reported by cloud security firm Sysdig, underscores the potential risks associated with emerging technologies and their vulnerabilities.

Understanding Langflow and Its Vulnerability

Langflow serves as a framework for building applications driven by large language models (LLMs) and agent workflows. However, a critical vulnerability, identified as CVE-2025-3248, was disclosed in April, carrying a CVSS score of 9.8. This missing authentication flaw allowed the threat actor, tracked as JadePuffer, to gain access to an internet-exposed instance of Langflow. The Cybersecurity and Infrastructure Security Agency (CISA) flagged this vulnerability as actively exploited in early May.

The successful exploitation of this vulnerability enabled attackers to execute arbitrary Python code on the host running Langflow. Following this initial breach, JadePuffer leveraged the LLM for reconnaissance, scanning the system for sensitive information such as API keys, cloud credentials, cryptocurrency wallets, configuration files, and database credentials.

Initial Phase of the Attack

Once inside the system, JadePuffer dumped Langflow’s Postgres database to extract secrets, scanned the internal address space, and probed for MinIO addresses to gather further credentials. The attacker also deployed a cron job to ensure persistent access to the Langflow server. Throughout this phase, the LLM demonstrated an ability to adapt its actions in real-time, completing tasks and logging into discovered endpoints.

The attack progressed as JadePuffer pivoted to a production server hosting a MySQL database and an Alibaba Naming and Configuration Service (Nacos) configuration platform. Nacos, widely utilized in Alibaba’s microservice architectures, has faced various security bypass issues and employs a default JWT signing key that is well-known, facilitating token forgery.

Lateral Movement and Encryption

To connect to the MySQL server, JadePuffer utilized a payload containing root credentials for the MySQL port. The attacker exploited multiple vectors to target the Nacos service, including the exploitation of the auth-bypass vulnerability (CVE-2021-29441) and forging a valid JWT using Nacos’s default signing key. With root database access, the attacker injected a backdoor administrator directly into the Nacos backing database.

During the attack, the LLM adjusted its payload to bypass login verification, checked for User Defined Functions (UDF) that could lead to OS command execution, and issued a completion marker before deploying ransomware. The attack resulted in the encryption of 1,342 Nacos service configuration items, alongside the creation of an extortion table that included the ransom demand, payment address, and contact email. The encryption key was randomly generated but not stored or transmitted, effectively preventing data recovery.

Captured payloads revealed that the LLM escalated its actions from row-level deletions to dropping entire database schemas, providing a narrative of its targeting rationale. The analysis indicated that the LLM generated code with natural-language commentary on each action, demonstrating its ability to correct failures and provide accurate diagnoses.

Implications for Cybersecurity

This incident illustrates that LLM agents significantly lower the barrier for malicious operations. The attack required a capable model rather than a skilled human, combining known techniques to exploit neglected infrastructure at minimal cost to the attacker. As agentic tooling matures, cybersecurity professionals should anticipate an increase in the volume and breadth of such campaigns.

Defenders are advised to prioritize the hardening of exposed application servers, configuration stores, and internet-facing database admin accounts, as these are likely to be the first targets in future attacks. The incident serves as a stark reminder of the vulnerabilities inherent in modern technology and the need for robust security measures.

For further insights into the implications of this attack, refer to the original reporting by Sysdig. Source: www.securityweek.com.

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.

spot_img

Related articles

Recent articles

Hong Kong Strengthens Global Status by Hosting 108th Lions International Convention with 17,000 Delegates

Hong Kong Strengthens Global Status by Hosting 108th Lions International Convention with 17,000 Delegates HONG KONG SAR - The Hong Kong Tourism Board has confirmed...

Seven Unpatched Vulnerabilities Discovered in Widely Used FatFs Filesystem Affecting Millions of Embedded Devices

Seven Unpatched Vulnerabilities Discovered in Widely Used FatFs Filesystem Affecting Millions of Embedded Devices Security firm runZero has revealed seven vulnerabilities in FatFs, a popular...

Dehradun Police Crack ₹10 Lakh Burglary Case After Suspect Posts Stolen Diamonds on Social Media

Dehradun Police Crack ₹10 Lakh Burglary Case After Suspect Posts Stolen Diamonds on Social Media The Dehradun District Police have made significant strides in resolving...

Chilean President Strengthens Economic Ties with UAE’s Al Zeyoudi Amid Growing Trade Partnership

Chilean President Strengthens Economic Ties with UAE's Al Zeyoudi Amid Growing Trade Partnership In a significant diplomatic engagement, José Antonio Kast, President of Chile, welcomed...