Back to Feed
MalwareJun 30, 2026

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

Langflow RCE vulnerability exploited to deploy Monero miner on exposed AI app endpoints.

Summary

Threat actors are actively exploiting a critical unauthenticated RCE vulnerability (CVE-2026-33017) in Langflow to deploy Monero cryptocurrency miners. The attacks target exposed AI application endpoints, weaponizing the flaw to pull down shell scripts, fetch miner binaries, and establish persistence. The malware also aims to disable security controls, terminate rival miners, and spread via SSH keys.

Full text

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints Ravie LakshmananJun 30, 2026Vulnerability / Malware Threat actors are continuing to exploit a critical Langflow vulnerability as part of fresh attacks designed to deliver a Monero cryptocurrency miner. The activity has been found to weaponize CVE-2026-33017 (CVSS score: 9.3), an unauthenticated remote code execution (RCE) vulnerability in Langflow, indicating threat actors are scanning and targeting exposed artificial intelligence (AI) application endpoints for obtaining initial access to enterprise networks. The attack was observed over a 19-day window between March 27 and April 15, 2026. "In this campaign, a single line of Python code evaluated inside an unauthenticated Langflow API endpoint pulls down a shell script, fetches a miner binary, and launches it detached," Trend Micro researchers Simon Dulude and John Zhang said in a technical report published last week. At a high level, the malware is designed to terminate competing cryptocurrency miner processes associated with Kinsing, WatchDog, Rocke, and Outlaw, delete rival wallet and key material, disable host-level security controls, establish cron-based persistence, beacon to an external server ("83.142.209[.]214:80), and deploy a custom miner. It can also propagate to other systems through reused SSH keys, effectively turning an exposed Langflow instance into a pathway for broader compromise. This involves exploiting the Langflow flaw to run an attacker-supplied Python script, which, in turn, is configured to launch a remotely hosted shell script that acts as a dropper whose primary responsibility is to check if a binary called "lambsys" is already running on the host. Subsequently, it downloads the binary on the machine using curl or wget, launches it as a detached process, and spreads itself to every SSH-reachable host the victim can authenticate to. The binary, an ELF executable written in Go, is also engineered to disable AppArmor, Ubuntu's Uncomplicated Firewall, iptables, SELinux, the kernel NMI watchdog, and Alibaba Cloud's Aliyun agent. In addition, the malware removes system logs to cover up the tracks, and removes the immutable attribute from files like "~/.ssh/," "~/.ssh/authorized_keys," "/etc/crontab," and "/etc/ld.so.preload," "/tmp/," "/var/tmp/," and "/var/spool/cron" in order to make its modifications, and then reapplies the immutable attribute to "/tmp/" and "/var/tmp/." Illicit cryptocurrency mining operations are known to set the "chattr +i" attribute on these files to ensure that they cannot be modified, renamed, or deleted by any user, including the superuser. The binary's behavior reflects that the threat actor behind the operation is aware of persistence methods adopted by rival cryptojacking groups. In the final stage, the binary contacts the same server to fetch a TAR archive and extracts from it a bespoke XMRig miner. Once the miner begins execution, the archive file is wiped from the file system. It further sends a request to ipinfo[.]io to obtain the host's public IP address and location, allowing the threat actors to make operational decisions on the fly. The first is pool selection. Given that mining pools tend to be geographically distributed, connecting the miner to a pool near the victim can minimize latency and maximize hash rate. The second reason behind obtaining this information is geo-fencing, as it gives the threat actors a way to exclude victims in certain regions. "Lambsys does not run its attack logic as Go functions," the researchers explained. "Instead, it forks a cascade of short-lived sh -c subprocesses, each executing one shell command (one pkill, one chattr, one sysctl). The design trades stealth for reliability. If one of 51 pkill commands fails, the failure is contained to that subprocess, and the other 50 carry on." Trend Micro said an artifact belonging to the previous iteration of the same binary was compiled in May 2024, indicating that the threat actors behind the campaign have likely been iterating on the family for over two years, while taking steps to evade detection by antivirus tools. Over the past year, a number of security flaws in Langflow have come under active exploitation. In June 2025, another critical vulnerability (CVE-2025-3248, CVSS score: 9.8) was abused to distribute the Flodrix botnet malware. "This cryptocurrency-mining campaign shows how exposed AI application endpoints are becoming another route into enterprise environments," Trend Micro said. "The payload might be familiar, but the delivery vector is not. A Langflow vulnerability gives commodity cryptominer operators a new front door into systems running AI application infrastructure." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cryptojacking, Langflow, Malware, Monero, Persistence, remote code execution, SSH, Trend Micro, Vulnerability, XMRig ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

  • cve — CVE-2026-33017
  • ip — 83.142.209.214

Entities

Langflow (product)AI (technology)