- A new cyberattack campaign is exploiting a critical flaw in Langflow to install the Flodrix botnet.
- The vulnerability, CVE-2025-3248, allows remote code execution on unpatched Langflow servers.
- Attackers use public proof-of-concept code to compromise vulnerable systems and deploy Flodrix.
- The Flodrix botnet can launch DDoS attacks, remove traces of itself, and communicate via the TOR network.
- Security experts advise immediate updates to Langflow version 1.3.0 or later to close the vulnerability.
On June 17, 2025, Cybersecurity researchers reported a new set of attacks using a severe vulnerability in the Python-based visual AI framework Langflow. Hackers are targeting exposed Langflow servers by exploiting a critical missing authentication flaw to install the Flodrix botnet Malware.
The vulnerability, tracked as CVE-2025-3248 with a CVSS score of 9.8, enables unauthorized attackers to execute any code on compromised servers via specially crafted web requests. Trend Micro researchers stated that attackers are running downloader scripts on affected systems, which then fetch and execute the Flodrix malware. Langflow addressed this problem in March 2025 with the release of version 1.3.0.
Last month, U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned about active exploitation of this flaw, confirming reports of live attack attempts targeting internet-exposed Langflow instances. Attackers are using a publicly available proof-of-concept code to scan for and access unpatched servers. Once inside, Hacker-controlled scripts download Flodrix from a remote server.
According to Trend Micro, the Flodrix botnet establishes connections with a command center, receiving instructions to conduct distributed denial-of-service (DDoS) attacks on designated targets. The malware can also operate over the TOR Anonymity network to mask communications. Researchers explained, “Since Langflow does not enforce input validation or sandboxing, these payloads are compiled and executed within the server’s context, leading to remote code execution.”
Trend Micro noted different downloader scripts hosted on the same infrastructure used for Flodrix, indicating that threat actors are actively adapting and expanding this campaign. They also identified Flodrix as an evolved form of the LeetHozer botnet linked to the Moobot group.
The Flodrix variant includes features to erase itself and obscure connection addresses, making detection and analysis harder. It deploys new encrypted DDoS attack types and scans running processes for added stealth. Researchers believe attackers are surveying all potential vulnerable servers to choose high-value targets.
Experts strongly recommend updating all Langflow deployments to version 1.3.0 or above. The vulnerability remains a significant risk for any unpatched systems exposed to the internet.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Luxembourg Issues €50M Digital Treasury Note via HSBC Blockchain
- Little Pepe and Kaspa Emerge as Top Undervalued Crypto Contenders
- Polymarket Traders Lower Odds of U.S. Strike on Iran After Talks
- Meta Launches Privacy-Focused Ads on WhatsApp Status Updates
- Partior Joins OSTTRA FX PvP System, Linking Major DLT Platforms
