Active Exploitation Campaign Targeting Langflow (CVE-2026-33017)
Researchers at Trend Micro (Simon Dulude and John Zhang) have published detailed analysis of an active campaign exploiting CVE-2026-33017 — a critical unauthenticated remote code execution vulnerability in Langflow — to deploy a Monero (XMR) cryptominer paired with a self-propagating SSH worm. Approximately 7,000 servers were compromised during a 19-day tracked campaign window.
The vulnerability was disclosed on March 17, 2026, and exploitation began within 20 hours of disclosure — before any public proof-of-concept was released. CISA added CVE-2026-33017 to the Known Exploited Vulnerabilities (KEV) catalog on March 25, 2026, with a federal remediation deadline of April 8, 2026.
Vulnerability Details
| Field | Value |
|---|---|
| CVE ID | CVE-2026-33017 |
| CVSS v4.0 | 9.3 (Critical) |
| CVSS v3.x | 9.8 (Critical) |
| Type | Unauthenticated Remote Code Execution |
| Disclosed | March 17, 2026 |
| First exploitation | Within 20 hours of disclosure |
| CISA KEV Added | March 25, 2026 |
| Federal Deadline | April 8, 2026 (BOD 22-01) |
| Discovered by | Simon Dulude & John Zhang (Trend Micro) |
| Fixed In | Langflow 1.9.0 or later |
Warning: Langflow 1.8.2 was widely reported as a patch release but has been confirmed by JFrog Security Research to remain fully exploitable. Only 1.9.0+ is a true fix.
Root Cause: exec() on a Public Endpoint
The vulnerability resides in Langflow's POST /api/v1/build_public_tmp/{flow_id}/flow endpoint. This endpoint is architecturally public — it allows unauthenticated users to execute AI flows. When an optional data parameter is included, the server passes attacker-controlled Python code directly to exec() with zero sandboxing.
A compounding factor: Langflow ships with AUTO_LOGIN enabled by default, which automatically grants any unauthenticated visitor a superuser token. This means any internet-accessible Langflow instance becomes a fully-authenticated Python code execution primitive for anyone who hits it.
This is the second time this design flaw has been exploited. The predecessor CVE-2025-3248 (CVSS 9.8, May 2025) used the same exec() pattern on /api/v1/validate/code. That fix added an authentication decorator without addressing the underlying architecture, and attackers pivoted to the next unauthenticated endpoint in the codebase.
Attack Chain (5 Stages)
Stage 1 — Reconnaissance
The attacker probes for Langflow instances by sending 10 rapid HTTP requests using rotating spoofed user-agent strings (Safari, Firefox, Chrome variants) to /health, /api/v1/version, and /manifest.json. This fingerprinting pattern is designed to evade signature-based detection by appearing as organic browser traffic.
Stage 2 — Exploitation
After confirming a target, the attacker switches to a stable python-requests/2.25.1 user-agent and sends a malicious POST to the public flow build endpoint. A hardcoded flow UUID (0ee284cc-0eb1-493f-bc60-94fa8d1cfd18) is reused across all exploitation attempts in the campaign. The injected Python payload curls a remote shell script (isp.sh) from the C2 server.
Stage 3 — Dropper
isp.sh checks for an existing infection, creates a hidden persistence directory at /var/tmp/.xlamb/, downloads the main malware binary lambsys via curl or wget, and launches it in the background with nohup.
Stage 4 — SSH Worm (Lateral Movement)
Simultaneously, isp.sh activates an SSH key reuse worm. It enumerates ~/.ssh/known_hosts, private key files (id_rsa, id_ed25519), and loaded SSH agent sockets, then propagates to every SSH-reachable host using two methods:
- Pull: SSH into the target, curl
lambsysfrom C2 - Push: SCP the local binary, then SSH in and execute (works even on hosts with no outbound internet access)
All connections use BatchMode=yes, ConnectTimeout=5, and StrictHostKeyChecking=no to avoid blocking on prompts. The blast radius scales with how many production hosts are in the Langflow server's known_hosts.
Stage 5 — Miner Deployment
lambsys (a UPX-packed Go ELF binary, earliest variant from May 2024) performs several operations:
- Kills competing miners — terminates all processes bound to 12 mining pool ports (3333, 4444, 5555, 6666, 7777, 3347, 14444, 14433, 56415, 9999, 13531, 3380), targeting Kinsing, WatchDog, Rocke, and Outlaw families
- Disables host defenses — AppArmor, SELinux, UFW, iptables, kernel NMI watchdog, Alibaba Cloud Aliyun agent; deletes
/var/log/syslog - Installs persistence — 5-minute cron job and a one-minute bash watchdog process named
init_rmou - Deploys XMRig — extracts
procq(a customized XMRig build) fromks.tarand connects to the mining pool over TCP/3333 via JSON-RPC - Beacons to C2 — POSTs heartbeats to
/status.phpevery ~128 seconds over HTTP port 80
The 2026 build of lambsys is 48% smaller than its 2024 predecessor, with a VirusTotal detection rate that dropped from 31/66 to just 4/66 — evidence of deliberate evasion engineering.
Indicators of Compromise
| Type | Value |
|---|---|
| C2 IP | 83[.]142[.]209[.]214 |
| C2 beacon | /status.php (HTTP port 80, every ~128s) |
| Malware binary | lambsys.elf (UPX-packed Go ELF) |
| Miner process | procq (customized XMRig) |
| Malware archive | ks.tar (MD5: 46096a72d84db5f1dafd944fcf6571c8) |
| Dropper script | isp.sh |
| Hidden directory | /var/tmp/.xlamb/ |
| Mining port | TCP/3333 (JSON-RPC) |
| Miner user-agent | SystemMonitor/6.25.0 (Linux x86_64) |
| Exploit user-agent | python-requests/2.25.1 |
| Reused flow UUID | 0ee284cc-0eb1-493f-bc60-94fa8d1cfd18 |
| Watchdog process | init_rmou |
The C2 IP
83[.]142[.]209[.]214appears on the Spamhaus DROP blocklist — organizations enforcing that feed at the egress firewall would block all campaign beacons without any Langflow-specific rule.
Campaign Timeline
| Date | Event |
|---|---|
| May 2024 | Earliest lambsys binary variant compiled |
| March 17, 2026 | CVE-2026-33017 publicly disclosed |
| March 17 +20h | Active exploitation begins (before any public PoC) |
| March 25, 2026 | CISA adds to KEV catalog |
| March 27–April 15, 2026 | Active campaign window (~7,000 servers compromised) |
| April 8, 2026 | Federal remediation deadline (BOD 22-01) |
Remediation
1. Upgrade Langflow (Critical Priority)
Upgrade to Langflow 1.9.0 or later. The correct fix removes the data parameter from the public endpoint entirely — public flows can only execute stored server-side flow data. Do not rely on 1.8.2 as a fix; JFrog confirmed it remains fully exploitable.
2. Harden Configuration
# Disable default superuser token grant
AUTO_LOGIN=falseReview whether Langflow runs as a privileged account; run it as an unprivileged service account.
3. Network Controls
- Place Langflow behind a reverse proxy with authentication (Nginx, Traefik, Authentik); never expose it directly to the internet
- Enforce the Spamhaus DROP blocklist at your egress firewall — blocks all C2 beacons from this campaign
- Monitor or block outbound TCP/3333 (XMRig mining protocol)
4. Incident Response
If you find lambsys, procq, /var/tmp/.xlamb/, or the init_rmou watchdog on a system — treat this as an SSH key exposure incident across your entire SSH-reachable infrastructure, not a single-host mining incident. The SSH worm propagates using all keys and sockets available to the compromised host. Rotate all SSH keys and audit known_hosts on every affected server.