Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints
Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints
NEWS

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

Threat actors are actively weaponizing CVE-2026-33017, a critical unauthenticated RCE flaw in Langflow, to deploy a Monero miner via the lambsys...

Dylan H.

News Desk

June 30, 2026
6 min read

Active Exploitation Campaign Targeting Langflow (CVE-2026-33017)

Researchers at Trend Micro (Simon Dulude and John Zhang) have published detailed analysis of an active campaign exploiting CVE-2026-33017 — a critical unauthenticated remote code execution vulnerability in Langflow — to deploy a Monero (XMR) cryptominer paired with a self-propagating SSH worm. Approximately 7,000 servers were compromised during a 19-day tracked campaign window.

The vulnerability was disclosed on March 17, 2026, and exploitation began within 20 hours of disclosure — before any public proof-of-concept was released. CISA added CVE-2026-33017 to the Known Exploited Vulnerabilities (KEV) catalog on March 25, 2026, with a federal remediation deadline of April 8, 2026.


Vulnerability Details

FieldValue
CVE IDCVE-2026-33017
CVSS v4.09.3 (Critical)
CVSS v3.x9.8 (Critical)
TypeUnauthenticated Remote Code Execution
DisclosedMarch 17, 2026
First exploitationWithin 20 hours of disclosure
CISA KEV AddedMarch 25, 2026
Federal DeadlineApril 8, 2026 (BOD 22-01)
Discovered bySimon Dulude & John Zhang (Trend Micro)
Fixed InLangflow 1.9.0 or later

Warning: Langflow 1.8.2 was widely reported as a patch release but has been confirmed by JFrog Security Research to remain fully exploitable. Only 1.9.0+ is a true fix.


Root Cause: exec() on a Public Endpoint

The vulnerability resides in Langflow's POST /api/v1/build_public_tmp/{flow_id}/flow endpoint. This endpoint is architecturally public — it allows unauthenticated users to execute AI flows. When an optional data parameter is included, the server passes attacker-controlled Python code directly to exec() with zero sandboxing.

A compounding factor: Langflow ships with AUTO_LOGIN enabled by default, which automatically grants any unauthenticated visitor a superuser token. This means any internet-accessible Langflow instance becomes a fully-authenticated Python code execution primitive for anyone who hits it.

This is the second time this design flaw has been exploited. The predecessor CVE-2025-3248 (CVSS 9.8, May 2025) used the same exec() pattern on /api/v1/validate/code. That fix added an authentication decorator without addressing the underlying architecture, and attackers pivoted to the next unauthenticated endpoint in the codebase.


Attack Chain (5 Stages)

Stage 1 — Reconnaissance

The attacker probes for Langflow instances by sending 10 rapid HTTP requests using rotating spoofed user-agent strings (Safari, Firefox, Chrome variants) to /health, /api/v1/version, and /manifest.json. This fingerprinting pattern is designed to evade signature-based detection by appearing as organic browser traffic.

Stage 2 — Exploitation

After confirming a target, the attacker switches to a stable python-requests/2.25.1 user-agent and sends a malicious POST to the public flow build endpoint. A hardcoded flow UUID (0ee284cc-0eb1-493f-bc60-94fa8d1cfd18) is reused across all exploitation attempts in the campaign. The injected Python payload curls a remote shell script (isp.sh) from the C2 server.

Stage 3 — Dropper

isp.sh checks for an existing infection, creates a hidden persistence directory at /var/tmp/.xlamb/, downloads the main malware binary lambsys via curl or wget, and launches it in the background with nohup.

Stage 4 — SSH Worm (Lateral Movement)

Simultaneously, isp.sh activates an SSH key reuse worm. It enumerates ~/.ssh/known_hosts, private key files (id_rsa, id_ed25519), and loaded SSH agent sockets, then propagates to every SSH-reachable host using two methods:

  • Pull: SSH into the target, curl lambsys from C2
  • Push: SCP the local binary, then SSH in and execute (works even on hosts with no outbound internet access)

All connections use BatchMode=yes, ConnectTimeout=5, and StrictHostKeyChecking=no to avoid blocking on prompts. The blast radius scales with how many production hosts are in the Langflow server's known_hosts.

Stage 5 — Miner Deployment

lambsys (a UPX-packed Go ELF binary, earliest variant from May 2024) performs several operations:

  • Kills competing miners — terminates all processes bound to 12 mining pool ports (3333, 4444, 5555, 6666, 7777, 3347, 14444, 14433, 56415, 9999, 13531, 3380), targeting Kinsing, WatchDog, Rocke, and Outlaw families
  • Disables host defenses — AppArmor, SELinux, UFW, iptables, kernel NMI watchdog, Alibaba Cloud Aliyun agent; deletes /var/log/syslog
  • Installs persistence — 5-minute cron job and a one-minute bash watchdog process named init_rmou
  • Deploys XMRig — extracts procq (a customized XMRig build) from ks.tar and connects to the mining pool over TCP/3333 via JSON-RPC
  • Beacons to C2 — POSTs heartbeats to /status.php every ~128 seconds over HTTP port 80

The 2026 build of lambsys is 48% smaller than its 2024 predecessor, with a VirusTotal detection rate that dropped from 31/66 to just 4/66 — evidence of deliberate evasion engineering.


Indicators of Compromise

TypeValue
C2 IP83[.]142[.]209[.]214
C2 beacon/status.php (HTTP port 80, every ~128s)
Malware binarylambsys.elf (UPX-packed Go ELF)
Miner processprocq (customized XMRig)
Malware archiveks.tar (MD5: 46096a72d84db5f1dafd944fcf6571c8)
Dropper scriptisp.sh
Hidden directory/var/tmp/.xlamb/
Mining portTCP/3333 (JSON-RPC)
Miner user-agentSystemMonitor/6.25.0 (Linux x86_64)
Exploit user-agentpython-requests/2.25.1
Reused flow UUID0ee284cc-0eb1-493f-bc60-94fa8d1cfd18
Watchdog processinit_rmou

The C2 IP 83[.]142[.]209[.]214 appears on the Spamhaus DROP blocklist — organizations enforcing that feed at the egress firewall would block all campaign beacons without any Langflow-specific rule.


Campaign Timeline

DateEvent
May 2024Earliest lambsys binary variant compiled
March 17, 2026CVE-2026-33017 publicly disclosed
March 17 +20hActive exploitation begins (before any public PoC)
March 25, 2026CISA adds to KEV catalog
March 27–April 15, 2026Active campaign window (~7,000 servers compromised)
April 8, 2026Federal remediation deadline (BOD 22-01)

Remediation

1. Upgrade Langflow (Critical Priority)

Upgrade to Langflow 1.9.0 or later. The correct fix removes the data parameter from the public endpoint entirely — public flows can only execute stored server-side flow data. Do not rely on 1.8.2 as a fix; JFrog confirmed it remains fully exploitable.

2. Harden Configuration

# Disable default superuser token grant
AUTO_LOGIN=false

Review whether Langflow runs as a privileged account; run it as an unprivileged service account.

3. Network Controls

  • Place Langflow behind a reverse proxy with authentication (Nginx, Traefik, Authentik); never expose it directly to the internet
  • Enforce the Spamhaus DROP blocklist at your egress firewall — blocks all C2 beacons from this campaign
  • Monitor or block outbound TCP/3333 (XMRig mining protocol)

4. Incident Response

If you find lambsys, procq, /var/tmp/.xlamb/, or the init_rmou watchdog on a system — treat this as an SSH key exposure incident across your entire SSH-reachable infrastructure, not a single-host mining incident. The SSH worm propagates using all keys and sockets available to the compromised host. Rotate all SSH keys and audit known_hosts on every affected server.


Sources

  • The Hacker News — Langflow RCE Exploited to Deploy Monero Miner
  • Trend Micro — From Langflow to Monero: Inside CVE-2026-33017 Cryptominer
  • JFrog Security Research — Langflow Latest 'Fixed' Version Is Still Exploitable
  • NVD — CVE-2026-33017
  • CISA KEV Catalog
#Vulnerability#CVE#Langflow#Cryptocurrency Mining#AI Security#RCE#CISA

Related Articles

Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE

A high-severity path traversal flaw (CVE-2026-5027, CVSS 8.8) in the AI application builder Langflow is being actively exploited with no patch available....

5 min read

First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wild

CISA has added CVE-2026-12569, a remote code execution flaw in PTC Windchill, to its Known Exploited Vulnerabilities catalog after confirming active...

3 min read

Path Traversal Flaw in AI Dev Platform Langflow Exploited in Attacks

Attackers are actively exploiting CVE-2026-5027, a high-severity path traversal vulnerability in Langflow, to write arbitrary files on exposed servers....

6 min read
Back to all News