FHN 
Cybersecurity researchers have identified an active campaign exploiting CVE-2026-33017, a critical remote code execution (RCE) vulnerability in Langflow, to compromise internet-facing AI servers and deploy a customized Monero (XMR) cryptominer.
The campaign highlights a growing trend in which threat actors are shifting their focus from traditional Linux servers to AI platforms that power Large Language Model (LLM) applications and Retrieval-Augmented Generation (RAG) workflows.
The vulnerability affects Langflow versions up to 1.8.2, has received a CVSS score of 9.8, and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. The issue has been addressed in Langflow version 1.9.0.
How the Attack Works
The vulnerability exists in Langflow’s public workflow execution endpoint, where insufficient input validation allows attackers to inject and execute malicious Python code without authentication. Researchers also noted that AUTO_LOGIN is enabled by default, allowing unauthenticated users to obtain a superuser token and create public workflows, making exploitation significantly easier on exposed servers.
The attack begins with automated reconnaissance. Threat actors rapidly scan internet-facing Langflow instances using multiple browser user-agent strings while probing endpoints such as /health, /api/v1/version, and /manifest.json. This approach helps identify vulnerable systems while reducing the likelihood of detection.
Once a vulnerable server is identified, attackers exploit the flaw by sending a specially crafted request that downloads and executes a malicious shell script. Researchers observed the same workflow identifier being reused across multiple attacks, suggesting the campaign is highly automated.
The shell script acts as a dropper, creating hidden directories, downloading the primary malware, and launching it in the background. It also searches for SSH keys, known hosts, and active SSH agent sessions in an attempt to spread laterally to additional Linux systems.
Cryptominer Deployment and Persistence
The primary payload is a UPX-packed Go binary designed to establish persistence while preparing the system for cryptocurrency mining.
Researchers observed the malware performing several actions after execution:
- Downloading a customized XMRig-based Monero miner.
- Terminating dozens of competing cryptomining processes already running on the system.
- Removing backdoor accounts left behind by previous malware campaigns.
- Increasing system resource limits to improve mining performance.
To avoid detection, the malware disables several Linux security controls, including AppArmor, SELinux, UFW, iptables, the Linux NMI watchdog, and Alibaba Cloud’s Aliyun security agent. It also clears system logs, removes file protection attributes, and modifies system settings to make forensic analysis more difficult.
For long-term persistence, the malware creates scheduled cron jobs and watchdog processes that automatically restore the miner if it is removed. It also locks critical files and directories, making cleanup significantly more challenging.
The customized Monero miner is installed inside a hidden directory and connects to attacker-controlled mining infrastructure over TCP port 3333. Researchers also observed regular heartbeat communications with command-and-control servers, allowing attackers to monitor infected systems and maintain control of the campaign.
Why AI Servers Are Being Targeted
Langflow is commonly integrated with cloud platforms, AI models, databases, and external APIs. As a result, compromised servers often contain valuable API keys, cloud credentials, database passwords, and SSH keys.
During the attacks, researchers observed threat actors searching for environment files and sensitive credentials that could enable lateral movement or provide access to additional enterprise resources. This makes the impact far greater than unauthorized cryptocurrency mining alone.
Security Recommendations
Organizations using Langflow should immediately upgrade to version 1.9.0 or later and ensure that vulnerable instances are not directly accessible from the internet.
Security teams should also:
- Restrict public access to Langflow deployments.
- Monitor for unusual API requests and unexpected Python execution.
- Review systems for unauthorized cron jobs, background processes, and persistence mechanisms.
- Rotate exposed API keys, SSH credentials, and cloud secrets if compromise is suspected.
- Investigate unusual outbound connections and signs of cryptocurrency mining activity.
The rapid exploitation of CVE-2026-33017 demonstrates how quickly attackers weaponize vulnerabilities in AI platforms. As organizations continue adopting AI technologies, securing AI infrastructure should become a core part of enterprise cybersecurity strategies, alongside continuous monitoring, timely patch management, and strong access controls.
IoCs
File Hashes (SHA-256)
| Hash | Description |
|---|---|
71af8bd9b8019b7e5f460ce4c5c14ff7716a2c2faaaf1f274ceaa54cb89723bc | lambsys.elf – Go/UPX, 296 KB, 2026 variant |
33588aa446984d3340cab686d38f2aa85a70eb3f76c459da3eef0304592b99df | lambsys.elf – 2024 old variant |
ddde47bf00324075c7eeb0b9d0ff0a5d1b95bfc619aca4b5def85263838212f2 | procq – customized XMRig miner |
Network Indicators
| Indicator | Type | Description |
|---|---|---|
83[.]142[.]209[.]214 | IP / C2 | Primary C2 and payload staging server |
hxxp[://]83[.]142[.]209[.]214/status.php | URL | C2 heartbeat beacon endpoint |
hxxp[://]83[.]142[.]209[.]214/setup_status.php | URL | C2 secondary status endpoint |
hxxp[://]83[.]142[.]209[.]214:8080/isp.sh | URL | Dropper script delivery |
hxxp[://]83[.]142[.]209[.]214:8080/lambsys | URL | Main malware binary delivery |
hxxp[://]83[.]142[.]209[.]214:8080/ks.tar | URL | XMRig miner payload archive |
hxxp[://]94[.]156[.]64[.]241/r.php | URL | Legacy C2 (2024 variant) |
ipinfo[.]io (34[.]117[.]59[.]81) | Domain | Geo-IP check pre-mining |
Go-http-client/1.1 | User-Agent | C2 beacon UA |
SystemMonitor/6.25.0 (Linux x86_64) libuv/1.24.1 gcc/8.3.0 | User-Agent | XMRig pool login spoofed UA |
Ports: 3333, 4444, 5555, 6666, 7777, 3347, 14444, 14433, 56415, 9999, 13531, 3380 | TCP Ports | Mining pool ports killed and used |
About the Author
