Langflow, the favored Python framework for fast AI prototyping, is underneath siege after researchers disclosed CVE-2025-3248, a flaw within the /api/v1/validate/code endpoint that lets unauthenticated attackers execute arbitrary Python with a single crafted POST request.
Inside hours of the general public proof-of-concept, menace actors started mass-scanning Shodan and FOFA for servers working variations previous to 1.3.0, silently pivoting from reconnaissance instructions equivalent to whoami to full distant shells.
The stakes are excessive: as soon as compromised, an occasion might be weaponised for distributed denial-of-service (DDoS) assaults or wholesale information theft, jeopardising the very AI workflows it was meant to speed up.
Polyswarm analysts famous the sudden look of recent malware samples that shared an XOR-obfuscated string desk and a self-deleting loader—traits that instantly tied them to the rising Flodrix botnet lineage.
In contrast to its LeetHozer predecessor, Flodrix forks little one processes with deceptive names, erases forensic artefacts, and refuses to reinfect a number if a hidden .system_idle file is current, signalling that the node is already enslaved.
The marketing campaign’s breadth is sobering: greater than 1,600 internet-facing Langflow servers have been discovered, many inside analysis clouds and start-up clusters the place default configurations expose the susceptible endpoint.
Early victims report CPU spikes and outbound visitors to Tor relays minutes after breach, underscoring the botnet’s twin function as each DDoS canon and covert information siphon.
The vulnerability captures the visitors burst sample through the first hour of compromise, whereas the flodrix course of illustrates how the malware renames itself to mimic benign system daemons.
An infection Mechanism: From POST to Persistence
The assault chain begins with a 200-byte exploit that injects Python straight into Langflow’s employee course of, spawning /tmp/docker—a downloader that fetches the principle ELF payload over uncooked TCP or hid Tor circuits.
As soon as executed, Flodrix checks for root privileges and, if profitable, installs a systemd service named langflow-sync.service, guaranteeing reboot persistence.
The core bot then executes the next routine to masks its C&C:-
seed = 0x5A
addr_enc = b’x13x37x42x1f’
c2 = bytes([(b ^ seed) for b in addr_enc]) # XOR-decoded C2 IP
The identical seed doubles as a kill-switch; if defenders broadcast it to port 6666/TCP, contaminated hosts terminate immediately.
Till enterprises patch to v1.3.0 and firewall public endpoints, Flodrix will proceed changing unguarded AI nodes into obedient siege engines—one crafted POST at a time.
Examine stay malware conduct, hint each step of an assault, and make sooner, smarter safety choices -> Strive ANY.RUN now
