Langflow Cryptominer Malware Exploits CVE-2026-33017
ID: 78e12777-f6df-59fd-b2b2-86fc74df6d92
STIX ID: report--78e12777-f6df-59fd-b2b2-86fc74df6d92
Feed Name: securityonline.info
Threat Score
A new campaign exploits CVE-2026-33017 to gain unauthenticated RCE on exposed Langflow AI endpoints and deploy a Go-based cryptominer derived from the KORKERDS playbook that disables defenses, persists using an 'init_rmount' file, propagates via stolen SSH keys as a worm, and uses a 39-entry kill list to remove competing malware; organizations are urged to patch Langflow to 1.9.0+, restrict public access, monitor for exploitation, and rotate exposed SSH keys.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
