
techpotionsThe JADEPUFFER campaign exploited a 9.8 CVSS flaw in Langflow to automate ransomware with AI agents. Reconnaissance, lateral movement, and encryption of 1,342 Nacos configs—no human needed. This marks a shift from hypothetical to operational agentic threats.
The agentic AI ransomware Langflow exploit—dubbed JADEPUFFER—turned a patched, 9.8-severity vulnerability in the popular open-source AI workflow builder Langflow into a fully automated extortion campaign. SecurityWeek reported that attackers used the vulnerability to let an LLM agent handle reconnaissance, credential theft, lateral movement, and the encryption of 1,342 Nacos configuration databases. This isn't a proof-of-concept; it's production-grade automation that should make every platform engineer check their Langflow deployments today.
CVE-2025-3248 is a critical missing-authentication flaw in Langflow’s code validation endpoint, first disclosed by Zscaler’s ThreatLabz in April 2025 with a CVSS score of 9.8. It allows unauthenticated attackers to execute arbitrary Python on the host. While the vulnerability was patched quickly, the JADEPUFFER campaign shows that exposed instances are now fueling attacks where an AI agent—not a human operator—plans and executes the ransomware kill chain. The same vulnerability has also been weaponized by the Flodrix botnet to drop downloader scripts and install malware.
The Sysdig analysis details how JADEPUFFER exploited the Langflow RCE to inject an agentic AI payload. Once inside, the LLM-driven agent performed:
The entire chain ran without human intervention. The AI agent was given a goal and the tools to achieve it, making decisions on the fly—a textbook agentic AI ransomware Langflow exploit in the wild.
Langflow is a visual framework for composing AI agents and workflows. It’s become essential plumbing in many MLOps pipelines, often exposed with default credentials or no authentication at all. The missing-authentication endpoint allowed unauthenticated remote code execution. Even after the patch, internet-facing instances remain trivially discoverable. The gap isn’t just a missing update—it’s a failure to treat AI tooling as critical infrastructure. If you’re building on Langflow or similar agent frameworks, our guide to securing LLM workflows walks through the hardening steps most teams skip.
For years, security researchers warned that LLM-driven attacks would progress from theory to operation. JADEPUFFER closes that loop. When an AI agent can chain exploits, adapt to environments, and execute ransomware at machine speed, the margin between initial access and impact shrinks to minutes. This isn’t a script-kiddie innovation; it’s a blueprint that lowers the skill floor for catastrophic attacks. Developers and platform teams need to shift from “can it happen?” to “our Langflow instance is reachable—what’s stopping it?”.
Our AI development services incorporate adversarial hardening from day one—exactly the mindset needed when tools like Langflow can become an adversary’s entry point.
CVE-2025-3248 is a critical missing-authentication flaw in Langflow’s code validation endpoint, allowing unauthenticated remote code execution. In the JADEPUFFER campaign, attackers used this access to deploy an AI agent that automated the entire ransomware kill chain from reconnaissance to encryption.
The vulnerability was patched after Zscaler’s April 2025 disclosure, but many unpatched, internet-facing instances remain exposed. The active exploitation by both JADEPUFFER and the Flodrix botnet confirms that attackers are scanning for vulnerable deployments.
Agentic AI enables fully automated, context-aware attack chains where an LLM plans recon, executes lateral moves, and adapts in real time without human intervention. This drastically reduces the time from initial access to impact and lowers the expertise needed to run sophisticated ransomware operations.