CyberSecurity news
FlagThis - #botnet
|
info@thehackernews.com (The@The Hacker News
//
A new Flodrix botnet variant is actively targeting vulnerable Langflow AI servers by exploiting a critical remote code execution (RCE) vulnerability tracked as CVE-2025-3248. Langflow, a Python-based visual framework used for building artificial intelligence (AI) applications, contains a missing authentication vulnerability that enables unauthenticated attackers to execute arbitrary code via crafted HTTP requests. Cybersecurity researchers at Trend Micro have highlighted this ongoing campaign, revealing that attackers are leveraging the flaw to execute downloader scripts on compromised Langflow servers. These scripts then fetch and install the Flodrix malware, ultimately leading to full system compromise.
Trend Micro's analysis reveals that attackers are exploiting CVE-2025-3248, which has a CVSS score of 9.8, by using publicly available proof-of-concept (PoC) code to target unpatched, internet-exposed Langflow instances. The vulnerability lies in the lack of input validation or sandboxing within Langflow, allowing malicious payloads to be compiled and executed within the server's context. The downloader scripts retrieve the Flodrix botnet malware from a specified host and, once installed, Flodrix establishes communication with a remote server via TCP to receive commands for launching distributed denial-of-service (DDoS) attacks against targeted IP addresses. Flodrix also supports connections over the TOR anonymity network. The Flodrix botnet is considered an evolution of the LeetHozer botnet, linked to the Moobot group. This improved variant incorporates stealth techniques, including the ability to discreetly remove itself, minimize forensic traces, and obfuscate command-and-control (C2) server addresses, making analysis more challenging. Further enhancements include new, encrypted DDoS attack types. Organizations using Langflow are urged to immediately patch their systems to version 1.3.0 or later, which addresses CVE-2025-3248. Furthermore, implementing robust network monitoring is crucial to detect and mitigate any botnet activity resulting from this vulnerability.
Share:
References :
Classification:
info@thehackernews.com (The@The Hacker News
//
A critical remote code execution vulnerability, CVE-2025-24016, affecting the Wazuh security platform is being actively exploited by Mirai botnets to launch distributed denial-of-service (DDoS) attacks. Akamai discovered this exploitation in late March 2025, revealing that threat actors are using this flaw to deploy Mirai botnet variants. The vulnerability, an unsafe deserialization issue, exists within the Wazuh API, specifically in how parameters within the DistributedAPI are handled.
The vulnerability stems from the deserialization of JSON data using the `as_wazuh_object` function in the `framework/wazuh/core/cluster/common.py` file. Attackers can inject malicious JSON payloads to execute arbitrary Python code remotely. CVE-2025-24016 affects Wazuh server versions 4.4.0 through 4.9.0, and has been assigned a critical CVSS score of 9.9. The flaw was patched in February 2025 with the release of Wazuh version 4.9.1, which replaced the unsafe `eval` function with `ast.literal_eval`. Akamai has observed two distinct botnets exploiting this vulnerability. In both cases, a successful exploit leads to the execution of a shell script that downloads a Mirai botnet payload from an external server. The first botnet deploys variants of LZRD Mirai, a botnet that has been active since 2023, and has also been recently used in attacks targeting GeoVision IoT devices. The second botnet delivers a Mirai variant known as Resbot (aka Resentual). Security researchers emphasize the rapidly decreasing time-to-exploit for newly published CVEs by botnet operators.
Share:
References :
Classification: |