A critical remote code execution (RCE) vulnerability in FlowiseAI's Flowise platform, tracked as CVE-2025-59528, is currently being exploited by attackers. This flaw, which has been assigned a maximum CVSS score of 10, allows attackers to execute arbitrary code on affected systems, posing a severe risk to organizations using the platform.
Flowise, a tool designed to help users build customized large language model flows through a drag-and-drop interface, is vulnerable due to a flaw in its CustomMCP node. This node is responsible for parsing user-provided configuration settings to connect to external MCP servers. The vulnerability, identified as CWE-94, allows malicious actors to inject and execute code remotely, effectively compromising the system.
The vulnerability was published on September 22, 2025, and has since seen active exploitation in the wild. The Exploit Prediction Scoring System (EPSS) rates this vulnerability at 0.835, indicating a high likelihood of exploitation. Furthermore, there is one known exploit and seven proof-of-concept (PoC) codes available, which have likely facilitated the rapid adoption of this exploit by attackers.
Security experts have flagged this issue as critical, with the Stakeholder-Specific Vulnerability Categorization (SSVC) advising immediate attention. The timeline to exploitation (TTE) for this vulnerability is notably short, at -9.8 days, underscoring the urgency for organizations to address this flaw.
Organizations using Flowise version 3.0.5 are particularly at risk and should prioritize patching to mitigate potential breaches. While no specific threat actor has been publicly attributed to these attacks, the availability of PoC codes suggests that a range of malicious entities could be leveraging this vulnerability.
FlowiseAI has yet to release a patch, leaving users vulnerable to ongoing attacks. In the interim, organizations are advised to implement network segmentation and monitor for unusual activity that could indicate exploitation attempts. Additionally, reviewing and restricting access to the CustomMCP node can help reduce the attack surface.
As the situation develops, it is crucial for security teams to stay informed about updates from FlowiseAI and apply any forthcoming patches promptly. The critical nature of this vulnerability and its active exploitation highlight the importance of maintaining robust security practices and staying vigilant against emerging threats.
CSURFACE