Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints
ID: 47890215-8c46-5cd2-83af-4781108c7c3d
STIX ID: report--47890215-8c46-5cd2-83af-4781108c7c3d
Feed Name: The Hacker News
This report describes an active campaign exploiting a critical unauthenticated Langflow RCE (CVE-2026-33017, CVSS 9.3) to deliver a custom Monero miner ('lambsys'). The attacker-run dropper fetches and launches an ELF miner that disables host security controls, removes logs, establishes persistence via cron, spreads via reused SSH keys, and contacts an external server for additional payloads and geolocation-aware pool selection; IOCs and historical context for Langflow exploitation are provided.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
