Langflow, the popular Python framework for rapid AI prototyping, is under siege after researchers disclosed CVE-2025-3248, a flaw in the /api/v1/validate/code endpoint that lets unauthenticated attackers execute arbitrary Python with a single crafted POST request.

Within hours of the public proof-of-concept, threat actors began mass-scanning Shodan and FOFA for servers running versions prior to 1.3.0, silently pivoting from reconnaissance commands such as whoami to full remote shells.

The stakes are high: once compromised, an instance can be weaponised for distributed denial-of-service (DDoS) attacks or wholesale data theft, jeopardising the very AI workflows it was meant to accelerate.

Polyswarm analysts noted the sudden appearance of new malware samples that shared an XOR-obfuscated string table and a self-deleting loader—traits that immediately tied them to the emerging Flodrix botnet lineage.

Unlike its LeetHozer predecessor, Flodrix forks child processes with misleading names, erases forensic artefacts, and refuses to reinfect a host if a hidden .system_idle file is present, signalling that the node is already enslaved.

The campaign’s breadth is sobering: more than 1,600 internet-facing Langflow servers were found, many inside research clouds and start-up clusters where default configurations expose the vulnerable endpoint.

Early victims report CPU spikes and outbound traffic to Tor relays minutes after breach, underscoring the botnet’s dual role as both DDoS canon and covert data siphon.

The vulnerability captures the traffic burst pattern during the first hour of compromise, while the flodrix process illustrates how the malware renames itself to imitate benign system daemons.

Infection Mechanism: From POST to Persistence

The attack chain begins with a 200-byte exploit that injects Python straight into Langflow’s worker process, spawning /tmp/docker—a downloader that fetches the main ELF payload over raw TCP or concealed Tor circuits.

Once executed, Flodrix checks for root privileges and, if successful, installs a systemd service named langflow-sync.service, guaranteeing reboot persistence.

The core bot then executes the following routine to mask its C&C:-

seed = 0x5A  
addr_enc = b'\\x13\\x37\\x42\\x1f'  
c2 = bytes([(b ^ seed) for b in addr_enc])  # XOR-decoded C2 IP

The same seed doubles as a kill-switch; if defenders broadcast it to port 6666/TCP, infected hosts terminate instantly.

Until enterprises patch to v1.3.0 and firewall public endpoints, Flodrix will continue converting unguarded AI nodes into obedient siege engines—one crafted POST at a time.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now

The post Hackers Exploiting Critical Langflow Vulnerability to Deploy Flodrix Botnet and Take System Control appeared first on Cyber Security News.