Executive Summary
In September 2025, a critical remote code execution (RCE) vulnerability, identified as CVE-2025-59528, was discovered in Flowise AI's version 3.0.5. This flaw resided in the CustomMCP node, which improperly executed user-supplied JavaScript code without validation, granting attackers full Node.js runtime privileges. Exploitation of this vulnerability could lead to complete system compromise, unauthorized command execution, and data exfiltration. Flowise addressed this issue by releasing version 3.0.6, which rectified the vulnerability. (nvd.nist.gov)
As of April 2026, active exploitation of CVE-2025-59528 has been observed, with over 12,000 Flowise instances exposed to potential attacks. This resurgence underscores the critical need for organizations to ensure their systems are updated to the latest secure versions to mitigate such high-severity threats. (thehackernews.com)
Why This Matters Now
The active exploitation of CVE-2025-59528 in Flowise AI, with over 12,000 instances at risk, highlights the urgent need for organizations to update their systems to the latest secure versions to prevent potential system compromises and data breaches.
Attack Path Analysis
An attacker exploited a code injection vulnerability in Flowise's CustomMCP node to achieve remote code execution. With this access, they escalated privileges by leveraging the Node.js runtime's full privileges, allowing access to critical modules. The attacker then moved laterally within the network by exploiting other vulnerable services. They established command and control channels to maintain persistent access. Subsequently, they exfiltrated sensitive data from the compromised systems. Finally, the attacker deployed ransomware, encrypting critical files and demanding payment.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited a code injection vulnerability in Flowise's CustomMCP node, allowing remote code execution.
Related CVEs
CVE-2025-59528
CVSS 10A code injection vulnerability in Flowise AI Agent Builder allows remote code execution via the CustomMCP node.
Affected Products:
FlowiseAI Flowise – 3.0.5
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
JavaScript
Exploitation for Client Execution
Exploit Public-Facing Application
Valid Accounts
Process Injection
Ingress Tool Transfer
Service Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 2
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Direct exposure to CVE-2025-59528 RCE vulnerability in AI platforms threatens software development infrastructure, requiring immediate zero trust segmentation and egress security controls.
Information Technology/IT
Critical risk from 12,000+ exposed Flowise instances enables remote code execution, demanding enhanced threat detection, anomaly response, and multicloud visibility across IT infrastructure.
Financial Services
AI agent builder exploitation poses severe compliance risks under PCI DSS requirements, necessitating encrypted traffic controls and east-west traffic security for financial applications.
Health Care / Life Sciences
Maximum severity RCE vulnerability threatens HIPAA compliance in AI-enabled healthcare systems, requiring kubernetes security and cloud native security fabric implementation immediately.
Sources
- Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposedhttps://thehackernews.com/2026/04/flowise-ai-agent-builder-under-active.htmlVerified
- CVE-2025-59528 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-59528Verified
- Flowise Security Advisory GHSA-3gcm-f6qx-ff7phttps://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7pVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely reduce the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial code injection, it could likely limit the attacker's ability to exploit the vulnerability further by enforcing strict segmentation and identity-aware policies.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing least-privilege access controls and restricting access to critical modules.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely constrain the attacker's lateral movement by monitoring and controlling internal traffic flows, thereby reducing the attacker's ability to exploit other services.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and disrupt unauthorized command and control channels by providing comprehensive monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration by enforcing strict outbound traffic policies and monitoring for unauthorized data transfers.
While Aviatrix CNSF may not prevent the deployment of ransomware, it could likely reduce the blast radius by limiting the attacker's ability to spread the ransomware across the network.
Impact at a Glance
Affected Business Functions
- AI Model Deployment
- Data Processing Pipelines
- Customer Support Chatbots
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive AI models and customer data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent lateral movement.
- • Deploy Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads.
- • Utilize Cloud Native Security Fabric (CNSF) for real-time inspection and autonomous policy enforcement.
- • Establish Multicloud Visibility & Control to monitor traffic and detect anomalous interactions.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
