Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

Related

BlueHammer Microsoft Defender Flaw Exploited in Ransomware Attacks

What happened CISA updated its Known Exploited Vulnerabilities catalog to...

Critical Dell Wyse Vulnerabilities Enable Remote Code Execution

What happened Dell Technologies released a critical security advisory for...

Insurance Regulators Group NAIC Hit in Oracle PeopleSoft Hack

What happened The National Association of Insurance Commissioners confirmed it...

Hackers Now Exploit Critical Oracle E-Business Suite Flaw in Attacks

What happened Attackers have begun exploiting a critical vulnerability in...

Hackers Exploit Critical SimpleHelp Flaw to Deploy Djinn Stealer

What happened Hackers are exploiting a critical vulnerability in SimpleHelp...

Share

What happened

Threat actors are exploiting a critical Langflow vulnerability to deploy a Monero cryptocurrency miner on exposed AI application endpoints.

The vulnerability is tracked as CVE-2026-33017 and has a CVSS score of 9.3. It is an unauthenticated remote code execution flaw in Langflow, an AI application development framework.

Trend Micro observed the campaign over a 19-day window between March 27 and April 15, 2026.

The attack begins when attackers exploit the vulnerable Langflow API endpoint to run a single line of Python code. That code downloads and launches a remote shell script, which then fetches a miner binary and starts it as a detached process.

The malware checks whether a binary named lambsys is already running on the host. If it is not, the script downloads the binary using curl or wget, executes it, and then attempts to spread to other systems reachable through reused SSH keys.

The lambsys binary is an ELF executable written in Go. It is designed to disable host-level security controls, including AppArmor, Ubuntu’s Uncomplicated Firewall, iptables, SELinux, the kernel NMI watchdog, and Alibaba Cloud’s Aliyun agent.

The malware also terminates competing cryptocurrency miner processes associated with other cryptojacking groups, deletes rival wallet and key material, removes system logs, modifies file attributes to support persistence, and establishes cron-based persistence.

In the final stage, lambsys contacts an external server to download a TAR archive containing a custom XMRig miner. After extraction and execution, the archive is deleted from the file system.

The malware also queries ipinfo.io to collect the host’s public IP address and location. This can help the operators choose nearby mining pools to improve performance or exclude victims in certain regions.

Trend Micro said an earlier artifact from the same malware family was compiled in May 2024, suggesting the operators have been iterating on the family for more than two years.

Who is affected

Organizations running exposed Langflow instances are affected, especially if they have not patched CVE-2026-33017.

The risk is highest for internet-facing AI application endpoints, developer environments, cloud systems, and servers where Langflow is reachable without proper access controls.

Organizations may also face broader exposure if compromised hosts contain reusable SSH keys. The malware can attempt to spread to other systems the victim can authenticate to, turning one exposed AI application endpoint into a path for lateral movement.

Cloud environments may be especially affected because cryptomining malware can consume compute resources, increase costs, degrade performance, and weaken host-level security controls.

Why CISOs should care

This campaign shows that AI application infrastructure is becoming part of the normal enterprise attack surface. Exposed AI endpoints are not only targets for model abuse or data leakage. They can also be used as entry points for commodity malware.

For CISOs, the Langflow flaw is urgent because it enables unauthenticated remote code execution. Attackers do not need valid credentials if the endpoint is exposed and vulnerable.

The lateral movement behavior is also important. The malware attempts to spread through reused SSH keys, meaning the impact can extend beyond cryptomining on one server.

The disabling of security controls should also raise concern. Lambsys attempts to turn off host protections, remove logs, alter file attributes, and eliminate competing miners, showing that even a financially motivated cryptomining campaign can reduce visibility and weaken defenses for future compromise.

3 practical actions

  1. Patch and restrict Langflow deployments: CVE-2026-33017 is being exploited against exposed Langflow endpoints. CISOs should patch vulnerable instances, remove unnecessary internet exposure, and place AI application tools behind authentication and trusted network controls.
  2. Rotate and limit SSH keys on affected systems: The malware can propagate to other systems through reused SSH keys. Security teams should audit SSH keys on exposed Langflow servers, remove unnecessary trust relationships, rotate keys after suspected compromise, and restrict lateral SSH access.
  3. Hunt for cryptomining and persistence behavior: Defenders should look for lambsys, unusual XMRig activity, cron-based persistence, disabled security controls, cleared logs, suspicious curl or wget downloads, unexpected outbound connections, and abnormal CPU usage on AI application hosts.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.