Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet

June 23, 2025, 8:10 p.m.

Description

An active campaign is exploiting CVE-2025-3248, a critical vulnerability in Langflow versions before 1.3.0, to deliver the Flodrix botnet. Attackers use the flaw to execute downloader scripts on compromised servers, which then fetch and install the Flodrix malware. The vulnerability allows full system compromise, DDoS attacks, and potential data exfiltration. Organizations using vulnerable Langflow versions on public networks are at high risk. The attack chain involves reconnaissance, exploitation of the CVE, deployment of a downloader script, and execution of the Flodrix botnet payload. The malware employs anti-forensic techniques and can perform various DDoS attacks based on commands from its C&C server.

External References

https://www.trendmicro.com/en_us/research/25/f/langflow-vulnerability-flodric-botnet.html#
https://otx.alienvault.com/pulse/6852fb64e49e359036e6522e
Tags
exploit
ddos
botnet
rce
CVE-2025-3248
2025-06-18
flodrix
langflow

Date

  • Created: June 18, 2025, 5:46 p.m.
  • Published: June 18, 2025, 5:46 p.m.
  • Modified: June 23, 2025, 8:10 p.m.

Indicators

  • ca8095af62b836f3ddd12007bc8cb67cdd39266c3d40179691f9ee1ca94e9428
  • f73b554e6aa7095cfc79cdb687204d99533aeda73309106ba6cc9428ff57bd1e
  • ee84591092a971c965b4e88cc5d6e8c2f07773b3bee1486f3a52483ee72a2b3b
  • ec52f75268b2f04b84a85e08d56581316bd5ccfeb977e002eb43270fe713f307
  • ec0f2960164cdcf265ed78e66476459337c03acb469b6b302e1e8ae01c35d7ec
  • e4aea6ee7005ee4b500e0b8673b69ea91d1a7532facad653e575ba29824845d9
  • e1c830643de2ec7bc7c032f7ec96c302ce54e703eaf576d3796d1bbd05d8a63f
  • e08e03091defb5006792934389aa350e8c48c37e59e282ef8fe3c3f126212e20
  • df9e9006a566a4fe30eaa48459ec236d90fd628f7587da9e4a6a76d14f0e9c98
  • dc9a484f4910ee08eb22afab8d328eef5328c9a5a8abc6a50062e2065262a81f
  • ccb02dce1bca9c3869e1e1d1774764e82206026378d1250aed324f1b7f9b1f11
  • d8d5a32bbd747c92fa1bb55dce4abb20e8d09711aebcbfe8e7eec83173f9e627
  • c97128a452ff24d9ba70a3a7674c1d7ad21babc9c75e7c34330baddaeea3d4bd
  • c2bcdd6e3cc82c4c4db6aaf8018b8484407a3e3fce8f60828d2087b2568ecca4
  • c2dceb14eb91802cd4f78e78634e7837f4b2f4d1329d3f5293c53798b4d0c30e
  • c462a09db1a74dc3d8ed199edca97de87b6ed25c2273c4a3afe811ed0c1c8b1d
  • ab0f9774ca88994091db0ae328d98f45034f653bd34e4f5e85679a972d3a039c
  • abb0c4ad31f013df5037593574be3207a4c1e066a96e58ce243aaf2ef0fc0e4d
  • a6cf8124e9b4558aacc7ddfa24b440454b904b937929be203ed088b1040d1b36
  • a42f8428aa75c180c2f89fbb8b1e44307c2390ed0ebf5af10015131b5494f9e1
  • 99b59e53010d58f47d332b683eb8a40df0e0eacef86390bca249a708e47d9bad
  • 9991c664c052ec407e53439ac6bb4df3cbbe3e54af243d007a39d8a3dab935b9
  • 9850eb26d8cbef3358da4df154e054759a062116c2aa82de9a69a8589f0dce49
  • 80c956c5f279a436e7cf81b3e47333144da5ef39bd76bd8c4a65e4571125ea7a
  • 912573354e6ed5d744f490847b66cb63654d037ef595c147fc5a4369fef3bfee
  • 7bdbf2766ad55f9a67bfbb97a32d308530e4b5959bb68a9acb22326dfee8f282
  • 6dd0464dd0ecde4bb5a769c802d11ab4b36bbe0dd4f0f44144121762737a6be0
  • 78b430bff7d797b020d06702659e26d8ca01c8fc968239390697aeff472623a7
  • 64927195d388bf6a1042c4d689bcb2c218320e2fa93a2dcc065571ade3bb3bd3
  • 57cedc81378f98e568539cc653349ff70ef851a6d51886fd2560f30df5e31bbd
  • 52a034e732bce0cb10fbfae6f3c208ffb885d490fbcd70bad62fb2e32a7c33f8
  • 4aa59dde4c8da2cff1a3afe02db3ae6c00d99e698db11838b791e1d6c582ffb6
  • 51085cd2de0ed6a9a6738ac85a8caf297fbd22db4b049822a9802bb8140dcd3d
  • 47497b24af6ff42dae582998aeeedbc7b9ca6b3e0d82e8e49e8ac4a0f453a659
  • 1e5e9723c6b492c477471cccb4d7b26aae653b0c5491c29739f784c664699d36
  • 09efd15ff0317424b9b964626da5e42d68b3ce91f509b16dad9892d156d3eabe
  • 08cf20e54c634f21d8708573eef7fde4dbd5d3cd270d2cb8790e3fe1f42eccec
  • 002f3b2c632e0be6cbc3fdf8afcd0432ffe36604ba1ba84923cadaa147418187
  • 45.61.137.226
  • 206.71.149.179
  • 80.66.75.121
Download all indicators here!

Attack Patterns