Trend Micro researchers have uncovered an active threat campaign exploiting a critical remote code execution (RCE) vulnerability in Langflow, to distribute the Flodrix botnet malware.
Langflow, a popular Python-based framework for building AI applications with over 70,000 GitHub stars, has become a high-value target due to its wide adoption in AI prototyping and automation.
Tracked as CVE-2025-3248, the flaw affects Langflow versions prior to 1.3.0 and allows unauthenticated attackers to execute arbitrary code on exposed servers.
According to Trend Micro, attackers are leveraging the vulnerability to deliver downloader scripts that fetch and install the Flodrix malware. The campaign begins with reconnaissance activities, likely involving tools like Shodan or FOFA, to identify publicly exposed Langflow instances. Attackers then use a proof-of-concept exploit to gain shell access and execute reconnaissance commands, exfiltrating results to a command-and-control (C&C) server.
Once access is gained, a bash script named “docker” is deployed to download and execute Flodrix binaries tailored to various system architectures. Trend Micro's analysis revealed that the threat actor is using multiple downloader variants, suggesting ongoing development.
Although one of the payloads analyzed self-terminated due to an invalid execution parameter, this behavior appears to be intentional and designed to test compatibility and establish which hosts can successfully run the malware and connect to the C&C infrastructure. Once established, Flodrix can facilitate full system compromise, conduct DDoS attacks, and potentially expose sensitive data.
The researchers also noticed some similarities between Flodrix and the LeetHozer malware family. It employs stealth features such as self-deletion, artifact removal, and obfuscation of C&C addresses to evade detection and hinder forensic analysis.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-3248 to its Known Exploited Vulnerabilities (KEV) catalog on May 5, 2025. Organizations running Langflow versions prior to 1.3.0 are strongly urged to upgrade immediately and check their infrastructure for signs of compromise.
