logo

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

ID: 47890215-8c46-5cd2-83af-4781108c7c3d

STIX ID: report--47890215-8c46-5cd2-83af-4781108c7c3d

Feed Name: The Hacker News

Threat Score
75/100

Date Published: 2026-06-30

Date Updated: 2026-07-01

Author: [email protected] (The Hacker News)

...
...

This report describes an active campaign exploiting a critical unauthenticated Langflow RCE (CVE-2026-33017, CVSS 9.3) to deliver a custom Monero miner ('lambsys'). The attacker-run dropper fetches and launches an ELF miner that disables host security controls, removes logs, establishes persistence via cron, spreads via reused SSH keys, and contacts an external server for additional payloads and geolocation-aware pool selection; IOCs and historical context for Langflow exploitation are provided.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.