NewsNukem
vulnerabilities

Flowise AI agent builder under active CVSS 10.0 RCE exploitation; 12,000+ instances exposed

April 7, 20265 min read3 sources
Share:
Flowise AI agent builder under active CVSS 10.0 RCE exploitation; 12,000+ instances exposed

Introduction: A perfect storm in the AI development space

Security researchers are sounding the alarm over a maximum-severity vulnerability in Flowise, a popular open-source platform for building AI agents. The flaw, tracked as CVE-2025-59528, has received a CVSS score of 10.0, indicating a critical threat that is trivial to exploit remotely without any authentication. According to a new report from cybersecurity firm VulnCheck, threat actors are already actively exploiting this vulnerability in the wild, targeting a pool of over 12,000 publicly exposed Flowise instances.

This incident throws a harsh spotlight on the security posture of the rapidly expanding AI development ecosystem. Flowise allows developers to create customized Large Language Model (LLM) workflows using a simple drag-and-drop interface, making it an attractive tool for startups and enterprises alike. However, its rapid adoption has seemingly outpaced security hardening, creating a significant attack surface for opportunistic adversaries.

Technical breakdown: How a configuration node becomes a backdoor

The vulnerability resides in a specific component of the platform known as the "CustomMCP node." This node is designed to give developers flexibility, allowing them to input custom configuration settings to connect their AI agents with various services and APIs. The fatal flaw lies in how this node processes user-supplied input.

At its core, CVE-2025-59528 is a code injection vulnerability. Attackers can craft a malicious payload and insert it into the configuration fields of the CustomMCP node. The server-side application fails to properly sanitize or validate this input, treating the malicious data as executable code. This allows an unauthenticated attacker to send a single, specially crafted request to a vulnerable Flowise instance and achieve remote code execution (RCE).

A CVSS score of 10.0 is reserved for the most severe vulnerabilities, and this one ticks all the boxes:

  • Attack Vector (Network): The vulnerability can be exploited over the internet.
  • Attack Complexity (Low): No specialized knowledge or tools are required; the exploit is straightforward to execute.
  • Privileges Required (None): The attacker does not need any username, password, or prior access.
  • User Interaction (None): The attack requires no action from a legitimate user.

Successful exploitation grants an attacker complete control over the Flowise application process. Depending on the privileges with which the application is running, this could translate to full control over the underlying server. Attackers can deploy web shells for persistent access, install cryptomining software, or use the compromised server as a pivot point to move deeper into an organization's internal network.

Impact assessment: Who is at risk?

The impact of this vulnerability is extensive, affecting any organization or individual running a publicly accessible, unpatched version of Flowise. With over 12,000 instances visible on internet scanning platforms like Shodan, the potential for widespread compromise is high. These deployments range from experimental projects by individual developers to production systems integrated into corporate workflows.

The data at risk is particularly sensitive. AI agents built with Flowise often handle or have access to valuable information, including:

  • API Keys and Credentials: Keys for services like OpenAI, Anthropic, Google Cloud, and other third-party platforms are often stored within Flowise configurations. Their theft could lead to significant financial loss and further system compromises.
  • Proprietary Data: Companies use Flowise to build agents that interact with internal documents, customer relationship management (CRM) systems, and proprietary databases. A breach could lead to the exfiltration of trade secrets and sensitive business intelligence.
  • Customer and Personal Data: AI-powered chatbots and customer service agents may process personally identifiable information (PII). A compromise could result in a major data breach, triggering regulatory fines under frameworks like GDPR and CCPA.

This incident is a sobering example of the growing security risks in the AI supply chain. As organizations rush to integrate AI, the tools and frameworks they rely on become high-value targets. A single flaw in a popular open-source tool can have a cascading effect across thousands of organizations globally.

How to protect yourself: Actionable steps for mitigation

Organizations using Flowise must act immediately to mitigate this threat. Time is of the essence, as automated scanning and exploitation are already underway.

  1. Patch Immediately: The Flowise development team has released a patched version that addresses CVE-2025-59528. This is the most critical first step. Identify all Flowise instances within your environment and upgrade them to the latest secure version without delay.

  2. Reduce Exposure: Conduct a thorough review of your Flowise deployments. If an instance does not need to be publicly accessible, place it behind a firewall and restrict access to authorized personnel only. For necessary remote access, ensure connections are secured through a trusted VPN service to limit your attack surface.

  3. Hunt for Signs of Compromise: Assume you may have already been breached. Security teams should actively hunt for indicators of compromise (IOCs). Look for unusual outbound network connections from your Flowise servers, unexpected processes spawned by the Flowise application (e.g., `sh`, `bash`, `powershell`), and the presence of suspicious files like web shells in the application's directories. Review access logs for anomalous requests targeting the application's configuration endpoints.

  4. Implement Web Application Firewalls (WAF): A properly configured WAF can provide a valuable layer of defense by detecting and blocking malicious requests attempting to exploit this type of code injection vulnerability. While not a substitute for patching, it can serve as a crucial compensating control.

  5. Review Security Practices for AI/ML Tools: Use this incident as a catalyst to evaluate your organization's security policies for AI development. All tools, especially open-source ones, should be subject to security vetting, regular vulnerability scanning, and a strict patch management lifecycle. Treat your AI infrastructure with the same security rigor as any other critical production system.

The active exploitation of CVE-2025-59528 is a clear and present danger. The combination of a critical, easy-to-exploit vulnerability and a large number of exposed systems creates a perfect environment for widespread attacks. Administrators and security teams must respond decisively to patch their systems and hunt for potential intrusions before significant damage occurs.

$ vpn --status: UNPROTECTED

Your connection is exposed.

Encrypt your traffic with hide.me VPN — trusted by security professionals.

Get Protected →

sponsored

Share:

// FAQ

What is Flowise AI?

Flowise is an open-source, low-code tool that allows developers to build and deploy customized Large Language Model (LLM) applications and AI agents using a visual, drag-and-drop interface. It simplifies the process of creating complex AI workflows.

What is CVE-2025-59528 and why is it so severe?

CVE-2025-59528 is a critical code injection vulnerability with a CVSS score of 10.0 out of 10.0. It allows an unauthenticated attacker to execute arbitrary code on a server running Flowise. Its severity stems from the fact that it is easy to exploit, requires no user credentials, and can be triggered remotely, leading to a complete system compromise.

How do I know if my Flowise instance is vulnerable?

If your Flowise instance is running a version prior to the security patch released in late March 2026 and is accessible from the internet, it is considered vulnerable. You should immediately check the version of your deployment and upgrade to the latest secure release provided by the Flowise developers.

What should I do if I suspect my system has been compromised?

If you suspect a compromise, you should immediately isolate the affected server from the network to prevent further damage or lateral movement. Preserve logs and system snapshots for forensic analysis. Begin an incident response procedure, which includes identifying and removing any backdoors (like web shells), rotating all secrets (API keys, passwords), and restoring the system from a known-good backup after ensuring it is fully patched.

// SOURCES

// RELATED

Anatomy of a failed budget cut: When the White House tried to defund America’s cyber defense
vulnerabilities

Anatomy of a failed budget cut: When the White House tried to defund America’s cyber defense

In 2020, the White House proposed a $707 million cut to CISA's budget, sparking bipartisan backlash and a debate on U.S. cyber readiness.

6 min readApr 8
Fortinet customers confront actively exploited zero-day, with a full patch still pending
vulnerabilities

Fortinet customers confront actively exploited zero-day, with a full patch still pending

A critical, actively exploited SQL injection flaw (CVE-2024-35616) in FortiClient EMS allows for full server takeover. A hotfix is available now.

5 min readApr 7
BlueHammer zero-day leak puts Windows users at risk after researcher-Microsoft dispute
vulnerabilities

BlueHammer zero-day leak puts Windows users at risk after researcher-Microsoft dispute

A disgruntled researcher has leaked “BlueHammer,” a Windows zero-day exploit, after a dispute with Microsoft, enabling attackers to gain full SYSTEM c

6 min readApr 7
First stalkerware maker prosecuted since 2014 receives no jail time
vulnerabilities

First stalkerware maker prosecuted since 2014 receives no jail time

Bryan Fleming, founder of pcTattletale, was fined $5,000 with no jail time, a lenient sentence that experts say fails to deter the harmful stalkerware

6 min readApr 7