Cloud security firm Sysdig has documented what it describes as the first fully agentic, AI-driven ransomware operation: a threat actor tracked as JadePuffer used a large language model to autonomously chain together known exploitation techniques against a neglected internet-facing environment. The intrusion began with the exploitation of a critical, missing-authentication flaw in Langflow (CVE-2025-3248, CVSS 9.8) and ended with the LLM encrypting production configuration data and posting a ransom demand — with the human operator largely out of the loop. The case shows how agentic tooling collapses the cost of multi-stage attacks, shifting the requirement from a skilled operator to a capable model.
What happened
Langflow is a Python-based, LLM-agnostic open source framework for building LLM-driven applications and agent workflows. JadePuffer reached an internet-exposed Langflow instance and exploited CVE-2025-3248, a critical authentication-bypass vulnerability disclosed in April that allows an unauthenticated attacker to run arbitrary Python code on the host. CISA added the bug to its Known Exploited Vulnerabilities catalog and flagged it as exploited in early May.
What makes this campaign notable is not the entry point but everything after it. Sysdig observed the LLM performing reconnaissance, adapting its actions in real time, extracting credentials from a variety of file types, and logging into endpoints it discovered along the way. Captured payloads carried natural-language commentary narrating each action — a hallmark of LLM-generated code — and showed the model diagnosing its own failures and correcting course. In one telling observation, Sysdig notes that the model "parsed free-text context presented by the target and took an action that only makes sense if that text was read and understood, rather than pattern-matched by a scanner," a behavior that recurred across sessions weeks apart.
The Langflow vulnerability (CVE-2025-3248)
The root cause lives in Langflow's code-validation API. The /api/v1/validate/code endpoint — intended to validate user-submitted Python snippets for Langflow's visual flow builder — passes the submitted code to Python's exec() without any authentication check on the route and without sanitizing the input. Any unauthenticated client that can reach the endpoint can therefore achieve full remote code execution as the Langflow service user.
According to the public write-up in the intelseclab PoC archive, the exploitation technique works in three steps:
- Send an unauthenticated
POSTrequest to/api/v1/validate/codecarrying acodefield with a crafted Python snippet. - The payload wraps a
subprocess.check_output()call inside a function default-argumentexec()trick and raises the command output as an exception, so the target's response body — the validationerrorsfield — echoes back the command's stdout. - Parse the returned error message to recover the command output, effectively yielding an interactive remote shell.
The flaw was fixed in Langflow 1.3.0. Despite the patch and the KEV listing, unpatched instances remain a high-value target — exactly the kind of "neglected infrastructure" Sysdig says these agentic campaigns are built to hunt.
Reconnaissance and credential harvesting
Once JadePuffer had code execution, it handed reconnaissance to the LLM. The model swept the system for secrets — API keys, cloud credentials, cryptocurrency wallets, configuration files, and database credentials — and then broadened the sweep across the environment:
- Dumped Langflow's PostgreSQL database to harvest the secrets stored inside it.
- Scanned the reachable internal address space and enumerated named services.
- Probed for MinIO endpoints to pull additional credentials.
- Deployed a cron job to maintain persistent access to the Langflow server.
Throughout this phase, the LLM adjusted its behavior on the fly to finish each task, pulling credentials out of different file formats and authenticating to the endpoints it found.
Pivot to the Nacos production server
In the second phase, the LLM pivoted to a production server running a MySQL database alongside an Alibaba Naming and Configuration Service (Nacos) configuration platform. Nacos is widely deployed in Alibaba microservice architectures and has a history of security bypasses, including a well-known default JWT signing key that makes token forgery trivial.
JadePuffer connected to the server using a payload carrying root credentials for the MySQL port, then used the LLM to attack the Nacos service through several vectors at once. As Sysdig describes it, that included "exploiting the auth-bypass family (CVE-2021-29441), forging a valid JWT using Nacos's well-known default signing key, and, with root database access, injecting a backdoor administrator directly into the Nacos backing database."
During this stage the model adapted its payload to pass login verification, checked for User Defined Functions (UDFs) — which can be abused for OS command execution — and issued a completion marker just before deploying ransomware. Sysdig notes that captured payloads showed the LLM escalating "from row-level deletion to dropping entire database schemas, narrating its own targeting rationale."
The ransomware payload
The LLM then encrypted 1,342 Nacos service configuration items and created an extortion table containing a ransom demand, a payment address, and a contact email. Critically, the encryption key was randomly generated but never persisted or transmitted anywhere — which, per Sysdig, effectively rules out data recovery even if a victim were to pay.
Detection and mitigation
The most direct fix for the initial access vector is to upgrade Langflow to 1.3.0 or later and to remove Langflow from direct internet exposure. Beyond that, this campaign maps cleanly to defensive priorities Sysdig calls out — the same surfaces the automated attacker went after first:
- Patch and inventory exposed application servers. CVE-2025-3248 was already patched and KEV-listed; the victim was compromised because the instance was left unpatched and reachable. Treat internet-facing app servers as the first thing that will be attacked.
- Harden configuration stores. Nacos deployments should not rely on the default JWT signing key, and known auth-bypass issues such as CVE-2021-29441 should be patched. Rotate signing secrets and restrict access to the configuration platform.
- Lock down database admin accounts. Internet-facing database administration with root credentials — as seen on the MySQL port here — is a prime lateral-movement target. Segment it and require authentication.
- Watch for the artifacts of automated exploitation. Look for unauthenticated
POSTrequests to/api/v1/validate/code, unexpected cron jobs on Langflow hosts, PostgreSQL dumps, internal port and service scans, and probes toward MinIO endpoints. - Hunt for LLM fingerprints in payloads. Sysdig's analysis found attacker payloads laced with natural-language commentary and self-diagnosing corrections — an unusual signal that can help distinguish agentic activity from a conventional scanner.
Technical background
The Langflow flaw belongs to a broad class of bugs in which a service exposes a code- or expression-evaluation feature over the network without an authorization gate. The dangerous pattern is any handler that funnels client-controlled input into a language runtime's dynamic-execution primitive — in Python, exec() or eval(). A generic, deliberately non-specific illustration of why routing untrusted input into exec() is fatal:
# ILLUSTRATIVE ONLY — generic example of the anti-pattern, not JadePuffer's payload
@app.post("/validate/code")
def validate_code(payload):
# No auth check; user input flows straight into exec()
exec(payload["code"]) # attacker-controlled -> arbitrary code execution
return {"errors": []}
The echo-back trick referenced in the PoC is a common way to turn "blind" code execution into an interactive shell: because the endpoint reports validation errors to the caller, an attacker can run a command with subprocess.check_output() and deliberately raise its output as an exception, so the command's stdout is returned inside the response's error field. The correct defense is to never execute untrusted input at all — validate code by parsing (for example, Python's ast module) rather than running it, and to require authentication and authorization on any endpoint that touches a code path like this.
For further reference, see the NVD and CVE Program records for the Langflow flaw: NVD — CVE-2025-3248 and CVE.org — CVE-2025-3248, along with the CVE-2025-3248 PoC archive entry documenting the unauthenticated RCE technique.