Menace actors have been exploiting a lately patched Langflow vulnerability to ensnare units within the Flodrix botnet, Development Micro warned on Tuesday.
The flaw, tracked as CVE-2025-3248, began making headlines in early Could, after the cybersecurity company CISA added it to its Identified Exploited Vulnerabilities (KEV) catalog.
The existence of the vulnerability, which might be exploited by a distant and unauthenticated attacker for arbitrary code execution, got here to gentle in early April, after a patch was rolled out with the discharge of Langflow 1.3.0.
Technical particulars and proof-of-concept (PoC) exploits began rising roughly one week later.
Langflow is a well-liked low-code improvement platform designed for the creation and deployment of AI brokers and workflows. It has greater than 70,000 stars on GitHub.
When CISA added CVE-2025-3248 to its KEV catalog, no data was out there on the assaults exploiting the vulnerability.
Development Micro has now revealed that the safety gap has been exploited in Flodrix botnet assaults. Particularly, attackers scanned the web for weak Langflow situations after which leveraged one of many publicly out there PoC exploits to attain shell entry on the system and run varied instructions for reconnaissance functions.
The risk actor then downloaded and executed the Flodrix malware on the compromised techniques. As soon as up and working, the malware establishes a connection to its C&C server and waits for instructions from its operator. The Flodrix botnet is especially used to conduct DDoS assaults. Commercial. Scroll to proceed studying.
In line with Development Micro, the malware utilized in these assaults is an evolution of the LeetHozer malware analyzed by Chinese language safety agency Qihoo 360 again in 2020.
Whereas there are a number of similarities to LeetHozer, there are additionally some variations, together with completely different response headers, a number of configuration choices, new DDoS assault varieties, and extra layers of obfuscation.
“This variant employs a number of stealth methods, together with self-deletion and artifact elimination, to attenuate forensic traces and hinder detection. It additionally makes use of string obfuscation to hide command-and-control (C&C) server addresses and different essential indicators, complicating evaluation efforts,” Development Micro mentioned.
Menace intelligence agency GreyNoise has seen greater than 370 IP addresses making an attempt to use CVE-2025-3248 over the previous month, with the latest makes an attempt seen by the corporate on June 12.
On the time of writing, the Censys search engine reveals greater than 1,600 internet-exposed Langflow situations, however it’s unclear what number of of them are literally weak to assaults.
Associated: Mirai Botnets Exploiting Wazuh Safety Platform Vulnerability
Associated: DanaBot Botnet Disrupted, 16 Suspects Charged
Associated: US Publicizes Botnet Takedown, Prices In opposition to Russian Directors
