← Back to feed

JadePuffer: Autonomous Agentic AI-Powered Ransomware Campaign via Langflow CVE-2025-3248

Date: 2026-07-06
Tags: malicious-tool, prompt-injection, nation-state

Executive Summary

A threat actor exploited a vulnerability in Langflow to access an organization's instance and abuse it in an agentic ransomware attack, with attackers exploiting Langflow vulnerability CVE-2025-3248 to conduct an agentic AI-powered ransomware attack involving reconnaissance, credential theft, and lateral movement. The attack demonstrates how LLM agents can combine known exploitation techniques with real-time reasoning to automate complex, multi-stage intrusions.

Campaign Summary

FieldDetail
Campaign / MalwareJadePuffer Langflow Campaign
AttributionJadePuffer threat actor group (confidence: high)
TargetEnterprise organization with internet-exposed Langflow deployment
VectorUnauthenticated remote code execution via CVE-2025-3248, followed by autonomous LLM-driven lateral movement and credential harvesting
Statusactive
First Observed2026-07-03

Detailed Findings

A threat actor tracked as JadePuffer gained access to an internet-exposed Langflow instance through the exploitation of CVE-2025-3248 (CVSS score of 9.8), a critical missing authentication vulnerability disclosed in April, with successful exploitation of the bug allowing attackers to execute arbitrary Python code on the host on which Langflow is running. The threat actor dumped Langflow's Postgres database to harvest the secrets in it, scanned the reachable internal address space and named services, probed for MinIO addresses for further credential extraction, and deployed a cron job for persistent access to the Langflow server. Throughout this initial phase, the LLM was observed adapting its actions in real time to complete tasks, extract credentials from different file types, and log into discovered endpoints; during the second phase of the attack, JadePuffer used the LLM to pivot to a production server hosting a MySQL database and an Alibaba Naming and Configuration Service (Nacos) configuration platform, with Nacos having been plagued by various security bypasses and uses a well-known default JWT signing key that allows for easy token forgery.

MITRE ATT&CK Mapping

TechniqueIDContext
Exploitation of Remote ServicesT1190CVE-2025-3248 RCE via Langflow
Credential DumpingT1003Postgres database extraction and credential harvesting
Lateral MovementT1570LLM-directed pivot to MySQL and Nacos services
PersistenceT1547Cron job deployment for persistent access

IOCs

Domains

_No specific IOCs published; affected software platforms and configuration services identified_

Full URL Paths

_No specific IOCs published; affected software platforms and configuration services identified_

Splunk Format

_No IOCs available for Splunk query_

Affected Platforms

Langflow (LLM-agnostic open-source framework)
Postgres
MySQL
Alibaba Nacos
MinIO

Detection Recommendations

Monitor for anomalous LLM inference patterns in Langflow deployments: high-volume automated prompt sequences, programmatic error recovery patterns, structured output formats characteristic of tool-calling pipelines. Track for exploitation of CVE-2025-3248 (missing authentication in Langflow). Alert on suspicious database queries to Postgres/MySQL from LLM execution context. Implement network segmentation to isolate AI infrastructure; restrict outbound connections from LLM execution environments; require authentication for all Langflow endpoints; monitor Nacos for JWT token forgery attempts (default signing key abuse). Block cron job creation from LLM-managed processes.

References