Flodrix Botnet Exploits Critical Langflow Flaw CVE-2025-3248

  • A new cyberattack campaign is exploiting a critical flaw in Langflow to install the Flodrix botnet.
  • The vulnerability, CVE-2025-3248, allows remote code execution on unpatched Langflow servers.
  • Attackers use public proof-of-concept code to compromise vulnerable systems and deploy Flodrix.
  • The Flodrix botnet can launch DDoS attacks, remove traces of itself, and communicate via the TOR network.
  • Security experts advise immediate updates to Langflow version 1.3.0 or later to close the vulnerability.

On June 17, 2025, Cybersecurity researchers reported a new set of attacks using a severe vulnerability in the Python-based visual AI framework Langflow. Hackers are targeting exposed Langflow servers by exploiting a critical missing authentication flaw to install the Flodrix botnet Malware.

- Advertisement -

The vulnerability, tracked as CVE-2025-3248 with a CVSS score of 9.8, enables unauthorized attackers to execute any code on compromised servers via specially crafted web requests. Trend Micro researchers stated that attackers are running downloader scripts on affected systems, which then fetch and execute the Flodrix malware. Langflow addressed this problem in March 2025 with the release of version 1.3.0.

Last month, U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned about active exploitation of this flaw, confirming reports of live attack attempts targeting internet-exposed Langflow instances. Attackers are using a publicly available proof-of-concept code to scan for and access unpatched servers. Once inside, Hacker-controlled scripts download Flodrix from a remote server.

According to Trend Micro, the Flodrix botnet establishes connections with a command center, receiving instructions to conduct distributed denial-of-service (DDoS) attacks on designated targets. The malware can also operate over the TOR Anonymity network to mask communications. Researchers explained, “Since Langflow does not enforce input validation or sandboxing, these payloads are compiled and executed within the server’s context, leading to remote code execution.”

Trend Micro noted different downloader scripts hosted on the same infrastructure used for Flodrix, indicating that threat actors are actively adapting and expanding this campaign. They also identified Flodrix as an evolved form of the LeetHozer botnet linked to the Moobot group.

The Flodrix variant includes features to erase itself and obscure connection addresses, making detection and analysis harder. It deploys new encrypted DDoS attack types and scans running processes for added stealth. Researchers believe attackers are surveying all potential vulnerable servers to choose high-value targets.

Experts strongly recommend updating all Langflow deployments to version 1.3.0 or above. The vulnerability remains a significant risk for any unpatched systems exposed to the internet.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest News

Spiko Raises $22M, Nears Top 5 in Tokenized MMF With $400M AUM

Spiko, a French tokenized money market fund startup, secured $22 million in a funding...

Bitcoin Surges After $9B Shock, Analysts Predict Cycle Is Over

Bitcoin regained value after last week’s sell-off, pushing the total cryptocurrency market above $4...

ECB Adviser: Digital Euro Alone Won’t Rival US Dollar Stablecoins

An European Central Bank adviser said a central bank digital currency (CBDC) alone will...

Morgan Stanley: India to Lead BRICS with Fastest GDP Growth by 2026

Morgan Stanley projects India to be the fastest-growing economy in the BRICS group through...

Hedera to Raise ConsensusSubmitMessage Fee to $0.0008 in 2026

The Hedera network will raise the fee for the ConsensusSubmitMessage transaction from $0.0001 to...

Must Read

What Are Sniper Bots Used in Defi Trading?

You've heard about DeFi, but what about sniper bots? These high-speed trading tools are shaking up the crypto scene.But don't fret, you're not...