Threat actors are exploiting CVE-2026-33017 in Langflow to gain unauthenticated remote code execution and deploy a Monero miner through a multi-stage infection chain. The campaign uses the lambsys binary to disable security tools, persist via cron and SSH keys, remove traces, and spread to other hosts reachable with reused credentials. #Langflow #CVE2026-33017 #lambsys #XMRig #Monero #Kinsing #WatchDog #Rocke #Outlaw
Keypoints
- Attackers are abusing CVE-2026-33017 in Langflow for unauthenticated remote code execution.
- The campaign delivers a Monero miner through a Python-to-shell-script infection chain.
- The lambsys binary kills rival miners, disables security controls, and establishes persistence.
- The malware removes logs and tampers with SSH keys, cron files, and system settings.
- The operation can spread to other SSH-reachable hosts and uses ipinfo.io for targeting decisions.
Read More: https://thehackernews.com/2026/06/langflow-rce-exploited-to-deploy-monero.html