This blog details research and analysis of an active campaign that exploits a critical unauthenticated remote code execution (RCE) vulnerability, CVE-2025-3248, that has been identified in Langflow versions prior to 1.3.0. Langflow is a Python-powered visual framework for building AI applications with over 70,000 GitHub stars, and its versions prior to 1.3.0 contains a flaw in its code validation mechanism that permits arbitrary code execution.
Unauthenticated attackers can exploit this vulnerability by crafting malicious POST requests to the /api/v1/validate/code endpoint. The malicious payload in our investigation was found embedded within argument defaults or decorators of a Python function definition. Since Langflow does not enforce input validation or sandboxing, these payloads are compiled and executed within the server’s context, leading to RCE.
Read more…
Source: Trend Micro
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- CISA Adds One Known Exploited Vulnerability to Catalog
January 23, 2023
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise. Note: To view the newly added vulnerabilities in the catalog, click on the arrow in the ...
- Exploiting null-dereferences in the Linux kernel
January 19, 2023
For a fair amount of time, null-deref bugs were a highly exploitable kernel bug class. Back when the kernel was able to access userland memory without restriction, and userland programs were still able to map the zero page, there were many easy techniques for exploiting null-deref bugs. However with the introduction of modern exploit mitigations such ...
- Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475)
January 19, 2023
Mandiant is tracking a suspected China-nexus campaign believed to have exploited a recently announced vulnerability in Fortinet’s FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Evidence suggests the exploitation was occurring as early as October 2022 and identified targets include a European government entity and a managed service provider located in Africa. Mandiant identified a new malware they ...
- Thousands of Sophos firewalls still vulnerable out there to hijacking
January 18, 2023
More than 4,000 public-facing Sophos firewalls remain vulnerable to a critical remote code execution bug disclosed last year and patched months later, according to security researchers. The flaw, CVE-2022-3236, had already been exploited as a zero-day when Sophos published a security advisory about the vulnerability in September 2022. At the time, the vendor said the hole ...
- CISA Releases Four Industrial Control Systems Advisories
January 17, 2023
CISA released four Industrial Control Systems (ICS) advisories on January 17, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA-23-017-01 GE Proficy Historian ICSA-23-017-02 Mitsubishi Electric MELSEC iQ-F, iQ-R Series Read more… Source: U.S. Cybersecurity and ...
- Hackers exploit Cacti critical bug to install malware, open reverse shells
January 15, 2023
More than 1,600 instances of the Cacti device monitoring tool reachable over the internet are vulnerable to a critical security issue that hackers have already started to exploit. Cacti is an operational and fault management monitoring solution for network devices that also provides graphical visualization. There are thousands of instances deployed across the world exposed on ...