Cyber Threat Brief — April 8 2026
⚠️ This report is AI-generated. Always validate findings.
1. Flowise CustomMCP Unauthenticated RCE — CVE-2025-59528
TL;DR: VulnCheck’s Canary network caught first ITW exploitation of CVE-2025-59528 (CVSS 10.0) on April 6-7, a pre-auth JavaScript injection in Flowise’s CustomMCP node that reaches Function() constructor for full Node.js RCE. 12,000-15,000 internet-exposed instances; patch shipped September 2025 in v3.0.6 but fleet adoption lags.
What’s New:
- First ITW exploitation confirmed from a single Starlink-attributed IP against VulnCheck honeypots; active as of April 6
- Vulnerable endpoint:
POST /api/v1/node-load-method/customMCPwithmcpServerConfigbody parameter — unauthenticated, default TCP/3000 - Root cause:
convertToValidJSONString()passes user input toFunction('return ' + inputString)(), equivalent toeval()with full Node runtime (child_process,fs,net) - Affects v2.2.7-patch.1 through v3.0.5; fixed in v3.0.6 (commit
4af067a) by replacingFunction()withJSON5.parse(); upgrade to v3.1.1 recommended - Public PoC exists; GHSA-3gcm-f6qx-ff7p; third Flowise RCE exploited ITW after CVE-2025-8943 and CVE-2025-26319
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /api/v1/node-load-method/customMCP from internet sources | URI | T1190 | Web proxy, WAF, nginx/Apache access logs, Flowise app logs | Alert — any unauthenticated POST to this path is high-fidelity exploit attempt |
Request body containing mcpServerConfig with child_process, require(, process., or Function( substrings | Payload | T1059.007 | WAF, reverse-proxy logs, Zeek http.log post_body | Alert — block at WAF and hunt historical |
node / Flowise process spawning sh, bash, curl, wget, nc, python, /bin/sh -c | Process | T1059.004 | Sysmon for Linux EID 1, EDR, auditd execve | Alert — Flowise should never fork shells |
| Outbound network from Flowise container/host to non-allowlisted destinations after POST to customMCP | Network | T1071.001 | Zeek conn.log, NetFlow, container egress logs | Hunt — correlate POST timestamps with new outbound sessions |
Flowise container writing to /tmp, /var/tmp, or dropping ELF files | File | T1105 | Sysmon FileCreate, Falco, EDR | Alert — post-exploit dropper staging |
| Starlink ASN source IPs (AS14593) hitting Flowise instances | Network | T1595.002 | Perimeter firewall, CDN logs | Hunt — geolocation/ASN filter on /api/v1/node-load-method/* |
| TCP/3000 exposed to the internet with Flowise banner | Exposure | T1590 | External attack surface scans, Shodan/Censys | Inventory — shut down or put behind auth proxy |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web JSX File Requests To Tomcat, Detect Suspicious Processnames Using Pretrained Model in DSDL (adjacent, process anomaly) | Need: HTTP POST to customMCP endpoint + mcpServerConfig content inspection; node parent spawning shell |
| Elastic | Web Application Suspicious Activity: POST Request Declined (adjacent), Linux Suspicious Child Process From Web Server | Need: Flowise-specific URI path rule; child_process string match in POST body |
| Sigma | proc_creation_lnx_susp_child_process_from_web_server.yml (adjacent) | Need: Flowise-specific proxy rule keyed on /api/v1/node-load-method/customMCP and mcpServerConfig payload |
Mitigation: Upgrade to Flowise ≥3.1.1 immediately. If upgrade is blocked, put Flowise behind an authenticated reverse proxy, deny /api/v1/node-load-method/* at the WAF from untrusted sources, and audit node process children. Inventory TCP/3000 exposure across cloud accounts.
Sources: The Hacker News · SecurityWeek · Security Affairs · BleepingComputer · Cybersecurity News · Vulert Analysis · SonicWall Technical · Miggo DB · GHSA-3gcm-f6qx-ff7p
Status Updates
- CVE-2026-35616 (Fortinet FortiClient EMS): CISA KEV federal remediation deadline is tomorrow (April 9). Apply Fortinet hotfix and restrict EMS management plane to trusted IPs now. Original brief.
- BlueHammer Windows LPE (unpatched): Still no Microsoft patch or CVE five days post-drop; both GitHub PoC forks remain live. Continue to hunt on Defender
IMpServiceRPC anomalies and junctions underC:\ProgramData\Microsoft\Windows Defender\. Original brief. - CVE-2026-5281 (Chrome Dawn): KEV deadline April 15 unchanged; no new exploitation telemetry. Original brief.
- CVE-2026-20127 (Cisco Catalyst SD-WAN): Metasploit module public, no new ITW campaigns. Original brief.
- CVE-2026-34612 (Kestra SQLi→RCE): Still no public PoC; deployments pre-1.3.7 remain vulnerable via
/api/v1/main/flows/search. Priority-2 hunt only.