Langflow RCE
Nacos deployments
Sysdig's Threat Research Team documented an operator named JADEPUFFER that exploited CVE-2025-3248, a critical unauthenticated remote code execution flaw in Langflow patched in April 2025 and in CISA's KEV catalog since May 2025, to gain code execution on an internet-facing AI orchestration server. From there, an LLM agent conducted the entire operation autonomously: system reconnaissance, environment variable scanning for API keys and cloud credentials, a MinIO object store enumeration using default credentials that had never been changed, credential harvesting, persistence via a 30-minute crontab beacon, and pivot to a separate production MySQL and Nacos server.
The agent exploited CVE-2021-29441 to forge Nacos administrator accounts, encrypted 1,342 Nacos configuration items using MySQL's native AES_ENCRYPT function, dropped the original tables, and created a README_RANSOM table containing a Bitcoin address and a contact email. The AES key was generated randomly, printed to stdout once, and never stored or transmitted. The data is permanently unrecoverable regardless of payment. The agent self-corrected in real time: in one sequence it went from a failed login to a working fix in 31 seconds. Its payloads contained natural language annotations explaining each step's reasoning, which Sysdig used to confirm LLM authorship.
- Patch Langflow to a version that fixes CVE-2025-3248. Do not expose Langflow's code-execution or validation endpoints to the internet under any configuration.
- Remove cloud provider API keys, database credentials, and AI service tokens from environment variables on any internet-facing AI orchestration server. Store secrets in a dedicated secrets manager.
- Change Nacos's default token.secret.key and upgrade to a version that enforces a custom key. Remove Nacos from public internet exposure and remove root-level database access from the Nacos service account.