Flowise AI Platform Under Active Attack: 12,000+ Instances Exposed to Maximum-Severity Vulnerability

-

 

What's Happening?

Security researchers at VulnCheck have confirmed that malicious actors are actively exploiting a critical vulnerability in Flowise, a popular open-source platform used to build AI agents and workflows. The flaw carries the highest possible severity rating, a CVSS score of 10.0, meaning it requires no special privileges to exploit and can result in complete system compromise.

The Vulnerability: CVE-2025-59528

The flaw, tracked as CVE-2025-59528, is a code injection vulnerability residing in Flowise's CustomMCP node, a component that lets users configure connections to external Model Context Protocol (MCP) servers. The problem lies in how the node processes user-provided configuration strings: it executes JavaScript code embedded in those strings without any security validation whatsoever.

Because Flowise runs with full Node.js runtime privileges, a successful attacker gains access to powerful system modules including:

  • child_process — enabling arbitrary command execution
  • fs — enabling full file system access

In practical terms, an attacker who weaponizes this flaw can execute any code on the target server, steal sensitive data, access the file system, or cause complete system takeover. Only a valid API token is required to launch the attack, making this an extreme risk to business operations and customer data.

The vulnerability was discovered and responsibly disclosed by Kim SooHyun, and was patched in version 3.0.6 of the Flowise npm package. An advisory was first published back in September 2025.

Active Exploitation in the Wild

Despite being public for over six months, the vulnerability is now being actively weaponized. According to VulnCheck, exploitation attempts have been traced back to a single Starlink IP address, suggesting opportunistic scanning and targeting of exposed instances.

This is not the first time Flowise has been targeted. CVE-2025-59528 is actually the third Flowise vulnerability with confirmed in-the-wild exploitation, following:

  • CVE-2025-8943 (CVSS 9.8) — remote OS command execution
  • CVE-2025-26319 (CVSS 8.9) — arbitrary file upload

The Scale of Exposure

What makes this situation particularly alarming is the sheer number of exposed targets. VulnCheck estimates that over 12,000 Flowise instances are publicly accessible on the internet. Caitlin Condon, VP of Security Research at VulnCheck, described the situation clearly:

This is a critical bug in a popular AI platform used by a number of large corporations. The internet-facing attack surface of 12,000+ exposed instances makes the active exploitation attempts we're seeing much more serious, attackers have plenty of targets to opportunistically reconnoiter and exploit.

What Should You Do?

If you or your organization is running Flowise, the steps are straightforward:

  1. Update immediately to version 3.0.6 or later of the Flowise npm package
  2. Audit your deployment, check whether your Flowise instance is publicly accessible
  3. Review API token access and restrict it to trusted sources only
  4. Monitor for suspicious activity, especially unusual outbound connections or file system changes

Key Takeaway

The Flowise incident is a stark reminder that AI development tools are becoming prime targets for cyberattacks. As these platforms grow in adoption across enterprises, their security posture becomes just as critical as the AI models they help build. Leaving known, patched vulnerabilities unaddressed, especially ones this severe, is an unacceptable risk.

Resources

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more