This website uses cookies

Read our Privacy policy and Terms of use for more information.

HARDENED
Cybersecurity Intelligence
Issue No. 065  ·  July 13, 2026  ·  Weekly Flagship  ·  hardened.news
The signal. Not the noise.    For teams that defend.
EnterpriseCloud & DevOpsDevIT OpsEnd Users
Gates cleared:Gate 1 ExploitationGate 2 Blast RadiusGate 3 Canadian
01 — // Lead Story — Deep Dive
An AI Agent Ran an Entire Ransomware Attack Alone — Through the Same Platform Now Back on CISA's Watch List
Sysdig captured what it calls the first fully autonomous, AI-agent-driven ransomware operation, launched through an old Langflow flaw — and days later, CISA added a second, unrelated Langflow vulnerability to its exploited-vulnerabilities catalogue.

Langflow is an open-source platform for building AI agents and automated workflows, and this month it became the story from two directions at once. On July 1, Sysdig's threat researchers published a capture of an operation they call JadePuffer: an attacker gained access to an internet-facing Langflow instance through CVE-2025-3248, an unauthenticated code-execution flaw in the platform's code-validation endpoint, patched in version 1.3.0. From that foothold, a large language model — not a human operator — ran the rest of the intrusion.

Sysdig describes the agent harvesting credentials, mapping internal services, and pivoting to a separate production target running MySQL and Alibaba's Nacos configuration service. There it exploited a four-year-old Nacos authentication bypass (CVE-2021-29441) using default signing keys the vendor had documented years earlier, encrypted 1,342 configuration records, dropped the original tables, and left a ransom note demanding payment to a Bitcoin address. Sysdig counted more than 600 distinct payloads executed across the operation, each one generated and adapted by the model in response to what it found. Sysdig → The Hacker News →

What makes this different from a scripted attack tool is adaptation. A traditional ransomware kit hits the same wall every time it meets an unexpected configuration and simply fails. This one did not: when a step didn't work, the model reasoned about why and tried something else, the way a human operator would improvise mid-intrusion. That is the same quality that makes AI agents useful for legitimate work, and it is what let this one keep moving past obstacles a fixed script would have stopped at.

Then, on July 7, CISA added a second, unrelated Langflow flaw to its Known Exploited Vulnerabilities catalogue: CVE-2026-55255, an authorization-bypass bug that lets an authenticated attacker run another user's saved workflow by guessing or supplying that user's flow ID. It carries a CVSS score of 8.4 and is fixed in version 1.9.1. The two vulnerabilities are unrelated in mechanism, but together they make the same point: Langflow instances are being probed from every direction, and any organization running one is a target regardless of which specific bug an attacker reaches for.

The decision for leaders isn't whether to keep using agentic AI tooling — it's whether your organization can find and patch an exposed instance before an autonomous attacker does the finding for you. Ask your team this week whether any AI orchestration platform your organization runs, self-hosted or otherwise, is reachable from the internet, and whether it's on the current patched version.

// Attack Anatomy — How an Agent Ran the Whole Operation
JP-01 — Critical
Unauthenticated Entry (CVE-2025-3248)

Langflow versions before 1.3.0 execute arbitrary code submitted to the code-validation endpoint with no login required. This was the agent's first foothold on the exposed instance.

JP-02 — Critical
Old Bug, New Automation (CVE-2021-29441)

A four-year-old Nacos authentication bypass using documented default signing keys was the pivot into the production database. Age doesn't retire a vulnerability if the default configuration is never changed.

JP-03 — High
Adaptive, Not Scripted

Where a scripted tool would stall at the first unexpected error, this operator reasoned its way past it. Defences built around recognizing a fixed attack pattern are less effective against an operator that changes its own approach mid-intrusion.

JP-04 — High
Same Platform, Second Flaw (CVE-2026-55255)

Days after the JadePuffer disclosure, CISA confirmed active exploitation of an unrelated Langflow authorization bug. One platform, two independent attack paths, both live at once.

// Five Actions — Start This Week
[✓]Find every Langflow instance your organization runs. Confirm version 1.3.0 or later for CVE-2025-3248, and 1.9.1 or later for CVE-2026-55255. Treat anything older as already probed.
[✓]Never expose an AI orchestration platform directly to the internet. Put it behind authentication and network controls, the same way you would a database.
[✓]Rotate default credentials on every backend service. Nacos, MinIO, and similar tools ship with well-known default keys and passwords that autonomous attackers already know to try first.
[✓]Don't assume an old CVE is a low priority. CVE-2021-29441 was four years old when it became the pivot point in this attack. Patch age is not the same as risk.
[✓]Ask your incident response team if their playbooks assume a human attacker. An adaptive AI operator retries and reroutes around blocks in ways a static playbook may not anticipate.
02 — // The Canada Angle
Canada's Signals Agency Just Disclosed It Took Down a Ransomware Gang — Right Before the Gangs Get AI Agents Too
CSE's 2025-2026 Annual Report reveals an offensive operation against a ransomware-as-a-service group targeting Canadian healthcare, transportation, and business sectors — the same category of adversary the JadePuffer capture shows getting access to autonomous AI tooling.

Canada's Communications Security Establishment released its 2025-2026 Annual Report on June 29, covering activity from April 1, 2025 to March 31, 2026. Among the disclosures: CSE conducted an active cyber operation against a ransomware-as-a-service group that had targeted the healthcare, transportation, and business sectors in Canada, disabling the group's infrastructure and destroying data on its servers — what CSE itself describes as an operation that "rendered the group's infrastructure inoperable." CSE says it took similar technical disruption action against 10 of the most significant ransomware groups targeting Canada and its allies during the reporting period. TechCrunch →

Framework — Boards & Public-Sector Leadership
CSE Annual Report — National Ransomware Posture

CSE's offensive operations disrupt ransomware infrastructure after the fact — they do not prevent a specific Canadian organization from being encrypted in the first place. The healthcare, transportation, and business sectors CSE names as targeted by the disrupted group are exactly the sectors this week's lead story shows facing a faster, more adaptive class of adversary tooling.

The action: If your organization sits in healthcare, transportation, or another sector CSE flags as targeted, confirm your incident response plan accounts for a ransomware operator that can automate its own reconnaissance and lateral movement — not just a slower, human-driven one.

Primary source: Communications Security Establishment Canada →

The report's ten-gang figure is a snapshot of last year's fight, not this year's. If the JadePuffer pattern spreads beyond a single research capture, the next CSE annual report is describing an adversary that moves faster than the one it just took down.

03 — // Threat & Defence Matrix
This week’s confirmed exploitations mapped to the control that contains them
ThreatDefence

Langflow unauthenticated RCE (CVE-2025-3248, CVSS 9.8)
Entry point for the JadePuffer autonomous ransomware operator; no login required.

Patch + isolate
Update to Langflow 1.3.0 or later; never expose the code-validation endpoint to the open internet.

Langflow cross-tenant IDOR (CVE-2026-55255, CVSS 8.4, CISA KEV July 7)
An authenticated attacker runs another user's saved workflow by supplying their flow ID.

Patch + review sharing
Update to Langflow 1.9.1 or later; audit which users can reference flows they don't own.

Adobe ColdFusion path traversal RCE (CVE-2026-48282, CVSS 10.0)
Exploited within hours of public disclosure; CISA KEV July 7.

Patch on disclosure day, not disclosure week
Apply Adobe's fix immediately; treat the hours-not-days exploitation window as the new normal for public disclosures.

Joomla page-builder file-upload RCE pair (CVE-2026-48908 CVSS 9.8, CVE-2026-56290 CVSS 9.8, both CISA KEV July 7)
Unauthenticated file upload leads to PHP execution; one exploited as a zero-day, the other via webshell delivery.

Patch + webshell hunt
Update JoomShaper SP Page Builder to 6.6.2+ and Page Builder CK to 3.6.0+; scan for uploaded PHP webshells on any Joomla site running either extension.

Nacos default signing-key auth bypass (CVE-2021-29441, CVSS 9.8)
A four-year-old flaw using documented default JWT keys, still live enough to anchor a 2026 ransomware operation.

Rotate defaults + patch
Update to Nacos 1.4.1 or later and rotate any default signing keys or credentials still in production.

04 — // On Our Radar + Patch Priority
// On Our Radar — Not Yet at Critical Threshold
RoguePlanet Defender zero-day, still unpatched: The TOCTOU race in Microsoft Defender's file-processing path we flagged last issue still has no CVE, no advisory, and no patch. Its predecessor BlueHammer was already used in live intrusions before RoguePlanet surfaced. Tracking since Issue #064.
Secure Boot Production PCA 2011 expiry: Still on track for October 19. Confirm the 2023 CAs are installed well ahead of that date. Tracking since Issue #039.
Autonomous ransomware beyond a single capture: JadePuffer is currently one documented case. Whether the technique spreads to other operators, or whether this remains an outlier, is the single most consequential open question in this space right now — we'll track it.
// Patch Priority — This Week
P1 — NOWLangflow — two active flaws: CVE-2025-3248 (CVSS 9.8, unauth RCE) and CVE-2026-55255 (CVSS 8.4, CISA KEV July 7, cross-tenant IDOR). Update to 1.9.1 or later, which addresses both.Dev · Cloud+DevOps
P1 — NOWAdobe ColdFusion CVE-2026-48282 (CVSS 10.0) — path traversal RCE, exploited within hours of disclosure, CISA KEV July 7. Apply Adobe's fix immediately.Enterprise · IT Ops
P2 — WEEKJoomla page builders — JoomShaper SP Page Builder CVE-2026-48908 (CVSS 9.8) and Page Builder CK CVE-2026-56290 (CVSS 9.8), both CISA KEV July 7. Update to 6.6.2+ and 3.6.0+ respectively, and hunt for webshells.Cloud+DevOps · Enterprise
P2 — WEEKAlibaba Nacos CVE-2021-29441 (CVSS 9.8) — default signing-key auth bypass, still exploitable in production deployments. Update to 1.4.1 or later and rotate any default keys.Cloud+DevOps · IT Ops
HARDENED

HARDENED is published for general informational and educational purposes. All threat data is sourced from publicly available security research and cited accordingly. This newsletter does not constitute professional security advice. Security configurations and threat landscapes vary by organization. Consult a qualified security professional for implementation guidance specific to your environment. All data as of July 10, 2026.

hardened.news

Superintelligence.

Superintelligence.

Your insider AI briefing to win the future.

Keep Reading