Cybersecurity researchers have identified active exploitation of a critical, maximum-severity vulnerability in Flowise, a popular open-source platform for building AI agents and workflows. Tracked as CVE-2025-59528 and assigned the highest possible CVSS score of 10.0, this code injection flaw allows unauthenticated attackers to execute arbitrary commands remotely on affected systems. According to VulnCheck, the vulnerability resides within the platform's CustomMCP (Model Context Protocol) node, which is designed to let users input configuration settings for connecting to external AI models and services. By injecting malicious code into these configuration fields, threat actors can bypass security controls and gain complete control over the underlying server.
The exposure is significant, with internet scans revealing over 12,000 publicly accessible Flowise instances worldwide. A substantial portion of these deployments are believed to be vulnerable, presenting a vast attack surface for malicious actors. The exploitation is straightforward, requiring no authentication, which lowers the barrier for entry even for less sophisticated attackers. Successful compromise can lead to data theft, deployment of ransomware, installation of cryptocurrency miners, or the establishment of a persistent foothold within an organization's network for further lateral movement. Given that Flowise is often used to handle sensitive AI workflows and data, a breach could expose proprietary models, training data, and internal business logic.
Organizations using Flowise are urged to take immediate action. The primary mitigation is to upgrade to the latest patched version released by the Flowise development team. For instances that cannot be updated immediately, administrators should implement strict network access controls, ensuring the Flowise application is not exposed to the public internet and is only accessible over a secure, internal network or via a VPN. Additionally, reviewing system logs for any unusual activity or unauthorized access attempts related to the CustomMCP node is critical. This incident underscores the heightened security risks associated with the rapid adoption of generative AI and LLM (Large Language Model) orchestration tools, which often become high-value targets.
The active exploitation of CVE-2025-59528 serves as a stark reminder of the security responsibilities that come with deploying open-source software, especially in the burgeoning AI space. While these tools democratize AI development, they also introduce complex attack vectors that may be overlooked during rapid deployment. Security teams must integrate vulnerability management and proactive threat hunting into their AI toolchain lifecycle, treating these platforms with the same rigor as any internet-facing application. As AI integration deepens, expect to see a continued focus from both defenders and attackers on the security of the infrastructure that powers and orchestrates these intelligent systems.
