This week’s TL;DR – we look at recent cyber attacks on major UK retailers last week. We also examine CISA’s addition of a critical Langflow platform vulnerability to its Known Exploited Vulnerabilities list.
UK retailers suffer ransomware attacks
Prominent UK retailers including Marks & Spencer (M&S), Harrods, and the Co-op have been targeted by a wave of cyberattacks. These incidents have caused significant disruptions, including halted online transactions and payment processing delays.
The UK’s National Cyber Security Centre (NCSC) is actively investigating the breaches and has issued urgent guidance to organizations to review and reinforce their cybersecurity defenses. One of the groups claiming responsibility is DragonForce, a ransomware-as-a-service (RaaS) operator that provides malicious tools to affiliates who then carry out attacks and extortion campaigns. DragonForce’s involvement indicates a broader trend in cybercrime where ransomware operators offer scalable attack services to less technically skilled criminals.
Additionally, investigators suspect the Scattered Spider group—known for its advanced social engineering tactics and previous attacks on major corporations—specifically targeted the M&S breach. Their sophisticated impersonation techniques and insider-style access make them particularly dangerous.
The series of attacks underscores the retail sector’s ongoing vulnerability to cyber threats, especially as digital infrastructure becomes more complex and essential. The NCSC emphasizes that regular audits, patching, and staff awareness training are crucial in defending against these evolving threats. The breaches serve as a warning for all sectors to strengthen their cyber resilience.
UK retailer ransomware – TL;DR
Ransomware attacks hit UK retailers like M&S, Harrods, and the Co-op, disrupting online orders and payments. The NCSC is investigating and urging stronger cyber defenses. DragonForce, a ransomware-as-a-service group, claimed responsibility for the attacks, while investigators suspect Scattered Spider targeted the M&S breach using advanced social engineering. The incidents expose major vulnerabilities in the retail sector and highlight the urgent need for improved cybersecurity.
Critical Langflow flaw added to CISA KEV list
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in the open-source Langflow platform to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, identified as CVE-2025-3248 with a CVSS score of 9.8, allows unauthenticated remote attackers to execute arbitrary code on affected systems.
Langflow, a Python-based tool for building AI workflows, contains a flaw in its /api/v1/validate/code endpoint. This endpoint improperly uses Python’s exec() function on user-supplied code without adequate authentication or sandboxing, enabling attackers to run arbitrary commands on the server. The issue affects most Langflow versions, but developers addressed it in version 1.3.0, released on March 31, 2025. Horizon3.ai discovered and reported the vulnerability in February 2025.
A proof-of-concept exploit for this vulnerability was made publicly available on April 9, 2025, increasing the risk of widespread exploitation. Censys data indicates that there are 466 internet-exposed Langflow instances, primarily located in the United States, Germany, Singapore, India, and China. While specific details about real-world attacks remain unknown, the presence of publicly accessible instances heightens the urgency for remediation.
CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary fixes by May 26, 2025. Organizations using Langflow are strongly advised to update to the latest version to mitigate the risk.
Langflow flaw – TL;DR
CISA has added a critical Langflow vulnerability (CVE-2025-3248) to its Known Exploited Vulnerabilities list due to active attacks. The flaw, rated 9.8 in severity, allows remote code execution via insecure use of Python’s exec() function. It affects most versions and was patched in version 1.3.0. A public exploit and over 460 exposed instances heighten the risk. CISA requires federal agencies to patch by May 26, 2025, and urges all users to update immediately.
Conclusion
These stories showcase the vulnerabilities across industry and Geolocation. From retail in Europe to AI building tools used globally. The identification of vulnerabilities like that found in Langflow is vital so that it cannot be exploited by RaaS organizations like in the UK. Get in touch now to learn more about how ThinScale can secure your environment.
