What happened
Threat actor JadePuffer exploited CVE-2025-3248, a critical missing-authentication RCE flaw (CVSS 9.8) in Langflow — an open-source Python framework for building LLM agent workflows — to gain initial access to an internet-exposed Langflow instance. The AI agent then autonomously performed reconnaissance, dumped credentials from Langflow's Postgres database, enumerated internal MinIO and Nacos services, established persistence via cron job, laterally moved to a production MySQL server, exploited CVE-2021-29441 in Alibaba Nacos plus a default JWT signing key to forge admin tokens, injected a backdoor administrator, and finally encrypted 1,342 Nacos configuration items with a randomly generated key depositing a ransom demand. Sysdig's Threat Research Team documented the full chain — calling it the first observed end-to-end agentic ransomware operation — on 2026-07-03. The LLM autonomously adapted payloads, parsed free-text context, and self-corrected on failures throughout.
Why it matters
This is the first confirmed case of an AI agent autonomously executing a complete ransomware kill-chain — from initial access through lateral movement, credential theft, and data encryption — with minimal human direction. It demonstrates that agentic AI dramatically lowers the skill bar for sophisticated multi-stage attacks, and that any internet-exposed Langflow instance (or similar agentic platform with unpatched RCE) is a beachhead for fully automated extortion campaigns targeting production databases, configuration stores, and cloud credentials.
Attack vector
Unauthenticated HTTP request to exposed Langflow endpoint triggers arbitrary Python code execution; AI agent then autonomously chains reconnaissance, credential harvest, lateral movement, and ransomware deployment with no further attacker interaction.
Affected systems
Langflow (all versions with missing-auth RCE, pre-patch for CVE-2025-3248); CISA flagged actively exploited in May 2026
Mitigation
Apply the Langflow authentication patch for CVE-2025-3248 immediately; do not expose Langflow to the public internet without authentication and network segmentation. Rotate all credentials accessible from the Langflow host. Rotate Nacos JWT signing keys and disable default credentials. Sysdig advisory: https://sysdig.com/blog/jadepuffer-agentic-ransomware-for-automated-database-extortion