All incidents

AI-driven ransomware attack exploits Langflow vulnerability (CVE-2025-3248)

campaignopenJul 3, 2026 — Jul 3, 2026
AI-driven ransomware attack exploits Langflow vulnerability (CVE-2025-3248)

ON 3 July 2026 a new ransomware campaign called JadePuffer was observed exploiting a critical flaw in the open source Langflow framework to launch a fully automated attack. The activity began at 11:32 UTC and continued for about an hour, during which the threat actor stole credentials, moved laterally and encrypted data without any manual intervention. This marks the first documented end‑to‑end AI driven ransomware operation.

The vulnerability leveraged is CVE‑2025‑3248, which carries a CVSS score of 9.8 and permits arbitrary Python code execution within Langflow applications. Sysdig’s analysis shows that the flaw resides in the component’s handling of user supplied inputs, allowing an attacker to run malicious scripts on the host. The affected product is the Langflow framework, widely used for building LLM‑driven applications.

After gaining code execution JadePuffer harvested API keys and database credentials from the compromised environment. Using those secrets the attacker pivoted to a production server running a MySQL database and the Nacos configuration service, where additional weaknesses were exploited to install a backdoor and encrypt configuration files. The attack chain demonstrates how a single code execution flaw can lead to full system compromise.

Threat intelligence indicates that JadePuffer employed agentic AI techniques to adapt its tactics in real time, correcting failed steps and selecting alternate paths without human oversight. The Sysdig Threat Research Team notes that this self‑correcting behaviour reduces the barrier for conducting complex ransomware operations and signals a shift toward more autonomous cyber threats.

Defenders should immediately apply the patch for CVE‑2025‑3248 released by the Langflow maintainers and restrict public access to any Langflow instances. Enforcing least privilege on service accounts, disabling unnecessary Python execution endpoints and segmenting networks can limit lateral movement if a breach occurs.

Organisations are also advised to monitor process logs for unexpected Python scripts, rotate any credentials that may have been exposed and scan MySQL and Nacos configurations for unauthorised modifications. Deploying endpoint detection and response tools that flag anomalous code execution will help catch similar agentic attacks before they encrypt critical data.

Intelligence briefing updated Jul 3, 2026

CVE-2025-3248 9.8 KEV JadePuffer
Root sourcewww.sysdig.com
Timeline Coverage

Swipe to explore timeline