Security researchers have confirmed that threat actors are actively exploiting a maximum-severity vulnerability in the open-source Flowise AI platform. The flaw, which carries a perfect severity score, allows for remote code execution and has left over 12,000 instances exposed online, according to a new report from the vulnerability intelligence firm VulnCheck.

Details of the Critical Flaw

The vulnerability is tracked as CVE-2025-59528 and has been assigned the highest possible Common Vulnerability Scoring System (CVSS) score of 10.0. This rating indicates a critical level of risk. The specific issue is a code injection vulnerability within the platform’s CustomMCP node feature.

This component allows users to input configuration settings for connecting to various AI model providers and services. The flaw enables attackers to inject malicious code through these configuration inputs, which the system then executes. Successful exploitation grants an attacker the ability to run arbitrary commands on the host server.

Scale of the Exposure

VulnCheck’s analysis indicates that more than 12,000 instances of Flowise are currently exposed on the public internet. This widespread availability significantly increases the attack surface for malicious actors. The researchers note that exploitation attempts began shortly after technical details of the vulnerability became public.

Flowise is a popular low-code, drag-and-drop tool used to build customized AI workflows and chatbots. Its open-source nature and utility have led to rapid adoption by developers and businesses integrating AI capabilities. This popularity now makes it a high-value target for cybercriminals seeking to compromise systems.

Potential Impact and Risks

The remote code execution capability poses a severe threat. Attackers who successfully exploit CVE-2025-59528 can gain full control over the affected server. This access could be used to steal sensitive data, deploy ransomware, install cryptocurrency miners, or use the server as a foothold for attacks on other internal network systems.

Given that Flowise is often used to handle and process data for AI applications, compromised instances could lead to the theft of proprietary AI models, training data, API keys, and other confidential information fed into the platform.

Mitigation and Response

The maintainers of the Flowise project have released patches to address this critical security hole. Administrators and users are urged to immediately update their installations to the latest secured version without delay. The primary mitigation is to apply the available security update.

For instances that cannot be updated immediately, security professionals recommend isolating the Flowise application from the internet if its function allows. Restricting network access to only trusted sources can reduce the risk of exploitation while a permanent patch is applied.

Organizations are also advised to scan their networks for any unauthorized or unknown instances of Flowise that may have been deployed by development teams without central oversight, a common occurrence with open-source tools.

Looking Ahead

Security analysts expect the wave of exploitation attempts to continue in the coming days as attackers scan the internet for vulnerable targets. The high number of exposed instances suggests a significant number of systems may remain at risk until patched. The cybersecurity community will likely monitor for any variants of the exploit or related attack campaigns targeting this vulnerability. Users who have not yet applied the patch should treat this as an urgent security priority.

Source: VulnCheck