A threat actor known as JadePuffer exploited CVE-2025-3248 in Langflow to gain code execution and use an LLM to automate reconnaissance, credential theft, and persistence. The attack later pivoted to a production server, abused Nacos weaknesses, and ended with encrypted configuration data and an extortion note. #Langflow #CVE-2025-3248 #JadePuffer #Nacos #Sysdig
Keypoints
- JadePuffer exploited CVE-2025-3248 in an internet-exposed Langflow instance.
- The attacker used the LLM for reconnaissance and secret harvesting.
- Langflowβs Postgres database was dumped to collect additional credentials.
- The attack pivoted to a production server running MySQL and Nacos.
- The final stage encrypted 1,342 Nacos configuration items and left an extortion table.
Read More: https://www.securityweek.com/agentic-ai-used-to-conduct-ransomware-attack-via-langflow/