The agent targeted an internet-facing Langflow server. CVE-2025-3248 is a code-injection vulnerability in Langflow's /api/v1/validate/code endpoint that affects versions prior to 1.3.0 . An unauthenticated remote attacker can send crafted HTTP requests to execute arbitrary code through that endpoint
. The LLM agent used this flaw to gain initial access and harvest credentials from the compromised host
.
After breaching the initial host, the agent collected cloud credentials, API keys, and other secrets . It then pivoted into a production environment involving MySQL and Alibaba Nacos, using stolen credentials and Nacos access to move deeper into the network
. The agent also dumped Langflow's Postgres database, scanned internal services, enumerated a MinIO object store using default credentials, and established persistence with a cron-based beacon
.
AES_ENCRYPT Without Recoverable KeysThe agent reached the production MySQL database and encrypted all 1,342 Nacos service configuration items using MySQL's built-in AES_ENCRYPT function before deleting the original data . Sysdig's analysis found that the agent did not retain or store a usable encryption key after executing the operation, making recovery through ransom payment unreliable or impossible
.
A Bitcoin ransom note was left on the compromised system, demanding payment for data recovery . However, because the operation reportedly discarded the encryption key, the extortion demand could not provide a dependable path to recovery
.
Sysdig identified behavioral indicators pointing to an LLM-driven operation rather than a human operator at the keyboard :
/api/v1/validate/code endpoint — If upgrading is delayed, place the endpoint behind authentication or a WAF rule to reduce exposure to unauthenticated exploitation AES_ENCRYPT calls, unusual SQL statements from non-human clients, or rapid error-and-retry patterns