A new cyber threat has emerged from the Langflow cryptominer malware campaign, which exploits unpatched AI application endpoints by targeting the CVE-2026-33017 vulnerability, allowing unauthenticated remote code execution (RCE). Key points include:
- **Malware Family**: Modified KORKERDS/MALXMR variant
- **Attack Method**: Scans for vulnerable Langflow instances to deploy a cryptocurrency miner.
- **Capabilities**: Cryptomining, SSH worm propagation, and evasion of defenses.
- **Delivery**: Uses CVE-2026-33017 to bypass login procedures and deliver mining software, leading to increased server costs and degraded performance.
- **Infection Methods**: Disables security controls, establishes persistence, and creates a kill list targeting other malware, while utilizing stolen SSH keys for broader network access.
- **Defense Guidance**: Urgent updates to Langflow are recommended to prevent exploitation, along with strict access controls and thorough audits of affected systems.
Administrators are advised to treat any signs of attempted exploitation seriously, as attackers may have installed backdoors.