Emerging Threat: Flodrix Botnet Exploiting Langflow Vulnerability
Introduction to the Threat
Cybersecurity experts are raising alarms about a new threat that leverages a significant vulnerability in Langflow, a Python-based visual framework for developing artificial intelligence applications. Recent research highlights how attackers exploit this flaw to deploy the Flodrix botnet malware.
The Vulnerability: CVE-2025-3248
The critical vulnerability identified as CVE-2025-3248 carries a CVSS score of 9.8, indicating its severity. This missing authentication vulnerability allows unauthenticated attackers to execute arbitrary code through specially crafted HTTP requests. Langflow’s developers released a patch in March 2025 with version 1.3.0 to mitigate this risk.
Active Exploitation in the Wild
Last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) sounded the alarm about the active exploitation of CVE-2025-3248. The SANS Technology Institute even detected attempts to exploit this vulnerability targeting its honeypot servers. Trend Micro’s findings illustrate that threat actors are particularly focusing on unpatched Langflow instances exposed to the internet, employing publicly available proof-of-concept (PoC) code.
Mechanism of the Attack
Upon successfully exploiting the vulnerability, attackers use the compromised Langflow servers to execute downloader scripts. These scripts retrieve and install the Flodrix malware from a specified server address, 80.66.75[.]121:25565. Once the malware is installed, it establishes a communication channel with a remote server, enabling it to receive commands for launching distributed denial-of-service (DDoS) attacks against selected IP addresses. Notably, the botnet is also capable of utilizing the TOR anonymity network for covert operations.
Execution and Impact
The absence of input validation and sandboxing in Langflow allows these scripts to be compiled and executed directly on the server. This situation heightens the risk of remote code execution. Researchers from Trend Micro suggest that attackers are actively profiling vulnerable servers and gathering data to identify high-value targets for future attacks.
Flodrix: An Evolved Threat
Flodrix appears to be an evolution of an earlier botnet known as LeetHozer, associated with the Moobot group. This newer variant features improved capabilities, such as the ability to erase itself discreetly and obscure command-and-control (C2) server information. These enhancements complicate forensic analysis and increase the botnet’s stealth.
New DDoS Attack Methods
An important development noted by Trend Micro is the introduction of encrypted DDoS attack methods. These not only add complexity to the attacks but also enable the botnet to enumerate running processes within the infected systems, expanding its operational effectiveness.
Misconfigurations in C2 Server
In a follow-up analysis, Censys uncovered a misconfiguration on the command-and-control server used by Flodrix. This server had exposed a portmapper and an NFS (Network File System) share, facilitating the identification of 745 compromised hosts. Most infections were found in Taiwan, with 540 affected devices, while the United States reported 17 infections. Alarmingly, nearly 50% of these compromised systems are believed to be internet-connected cameras, highlighting the extensive potential impact on everyday devices.
Conclusion
This ongoing situation serves as a reminder for organizations and developers using Langflow to ensure their systems are promptly updated and patched against known vulnerabilities. As cyber threats continue to evolve, vigilance in cybersecurity practices remains essential to mitigate risks associated with emerging botnets like Flodrix.
