Threat Actors Exploiting Critical RCE Vulnerability in Flowise AI Platform

Threat actors are actively exploiting a maximum-severity remote code execution (RCE) vulnerability in Flowise, an open-source AI platform, as reported by VulnCheck. The flaw, tracked as CVE-2025-59528 with a CVSS score of 10.0, is a code injection vulnerability in the CustomMCP node, which allows users to input configuration settings. Over 12,000 exposed instances of Flowise have been identified. The vulnerability enables unauthenticated attackers to execute arbitrary code remotely. No specific timeline or patch status was provided in the findings.