
Langflow CVE-2026-33017 RCE Used for Monero Mining on Exposed AI Endpoints
Active exploitation of Langflow RCE for cryptojacking shows attackers systematically targeting exposed AI endpoints. The operation demonstrates two-year evolution of a mining toolkit that prioritizes killing competitors and spreading via SSH. This pattern extends prior cloud cryptojacking campaigns to the expanding surface of unauthenticated AI frameworks.
The campaign begins with a single Python eval in the Langflow API that fetches a shell script, downloads the ELF binary lambsys, and executes it detached. The binary kills processes tied to Kinsing, WatchDog, Rocke, and Outlaw, removes their wallet files, disables AppArmor, ufw, iptables, SELinux, and the Aliyun agent, then clears logs and sets immutable attributes on persistence paths. It spreads via reused SSH keys and beacons to 83.142.209[.]214:80 for pool selection and geo-fencing based on ipinfo.io data. Trend Micro observed an earlier compile date of May 2024, showing two years of iteration on the same family. Exposed Langflow instances function as low-friction entry points into enterprise AI infrastructure. The same scanning patterns that previously targeted Jupyter, MLflow, and Ray clusters are now pivoting to newer frameworks as organizations rush deployments without authentication or network segmentation. This is not opportunistic mining alone; it is systematic abuse of AI-adjacent services whose default configurations prioritize developer speed over isolation. The malware's subprocess cascade design trades stealth for reliability across 51 distinct shell commands, ensuring partial failures do not abort the full chain. Persistence via cron and SSH key reuse turns a single compromised endpoint into a beachhead for lateral movement across GPU clusters. Expect similar campaigns against any newly popular AI tooling that exposes unauthenticated code-execution surfaces. Next steps include wider Shodan-style enumeration of Langflow and related services, followed by rapid patching or network isolation of affected instances. Organizations running public AI endpoints should assume credential reuse and scan for the lambsys binary and the specific cron modifications within the next 30 days.
Shodan: Within 60 days, the number of publicly indexed Langflow instances will drop below 800 as operators apply network controls or patches.
Sources (3)
- [1]Primary Source(https://thehackernews.com/2026/06/langflow-rce-exploited-to-deploy-monero.html)
- [2]Trend Micro Technical Report(https://www.trendmicro.com/en_us/research/26/f/langflow-campaign.html)
- [3]Supporting Source(https://nvd.nist.gov/vuln/detail/CVE-2026-33017)