logo

Langflow Cryptominer Malware Exploits CVE-2026-33017

ID: 78e12777-f6df-59fd-b2b2-86fc74df6d92

STIX ID: report--78e12777-f6df-59fd-b2b2-86fc74df6d92

Feed Name: securityonline.info

Threat Score
70/100

Date Published: 2026-06-27

Date Updated: 2026-06-27

Author: Do Son

...
...

A new campaign exploits CVE-2026-33017 to gain unauthenticated RCE on exposed Langflow AI endpoints and deploy a Go-based cryptominer derived from the KORKERDS playbook that disables defenses, persists using an 'init_rmount' file, propagates via stolen SSH keys as a worm, and uses a 39-entry kill list to remove competing malware; organizations are urged to patch Langflow to 1.9.0+, restrict public access, monitor for exploitation, and rotate exposed SSH keys.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.