Researchers detail an automated intrusion that exploited CVE-2025-3248, harvesting credentials, abusing default login credentials and encrypting data for ransom.
Some security researchers have documented what appears to be the first ransomware attack carried out end-to-end by an AI agent to systematically break in, steal credentials, move through the network, encrypt data, and wipe a production database.
The attack underscores how automation can lower the barrier to entry for ransomware, because much of the operational work that once required a skilled human can now be stitched together by a model.
The initial foothold came through CVE-2025-3248 in Langflow, an open-source platform for building AI apps and agent workflows. That flaw, which was fixed in Langflow 1.3.0 and added to CISA’s Known Exploited Vulnerabilities list in May 2025, allowed unauthenticated remote code execution on exposed servers, many of which still had not been patched.
Exploiting default login credentials/signing keys
Threat researchers had noted that Langflow instances are especially attractive targets because they are often internet-facing and may store API keys and cloud credentials connected to downstream services.
Once an AI agent manages to break into the platform, it can rapidly map the system and search for secrets, including keys for AI services and cloud credentials from major providers. In the incident involving this ransomware attack, the agent had also harvested cryptocurrency wallet keys and database logins, then accessed a MinIO storage server using the default minioadmin:minioadmin credentials that had never been changed. To maintain persistence, it had created a scheduled task that checked in with the attacker’s server every 30 minutes.
Subsequently, the agent pivoted to a separate internet-facing server running MySQL and Alibaba’s Nacos, where it logged in as root. How those root credentials were obtained is still a question mark, but researchers said but once inside the environment, the attacker exploited a 2021 authentication bypass and a default signing key that had remained unchanged since 2020, then planted a nw admin account. It then encrypted all 1,342 Nacos configuration entries, deleted the original tables, and left a ransom note demanding Bitcoin.
The researchers from Sysdig had also discovered that the ransom routine was flawed in a way that made recovery impossible: the agent had generated a random key, displayed it once, and never saved or transmitted it, meaning even payment would not restore the data. Forensic analyses have found more than 600 distinct payloads, with attack code containing plain-English comments, rapid self-corrections, and machine-speed troubleshooting that strongly suggest AI involvement.
The entire cyber incident fits a broader trend in which exposed, unpatched software becomes easy prey as agentic tools make mass exploitation faster and cheaper.
