Hello and welcome to the Monday, April 14th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Orlando, Florida.

Well, I think on Friday I briefly mentioned a vulnerability in Langflow where we saw at the time a single exploit attempt. Since then,

the number of exploit attempts has skyrocketed. I think we have about a thousand now that we

have captured some of them with their payload. All of these requests come from Tor's endpoints,

as far as I've been able to tell. There may be a couple

that I missed, but that sort of indicates that it's a little bit different botnet. If it is a

botnet at all, that's not doing the scanning, more likely sort of a single source that just

obfuscates itself behind Tor. The payload that we have seen so far exclusively

and we don't capture payloads for all requests is a simple check for Etsy password, which

has the cat Etsy password. That's the command they are executing. Likely, it's just to check if a particular

system is vulnerable to this particular issue. Now, a little bit of background here. This

vulnerability in Langflow was originally discovered by Horizon 3. Horizon 3 late last week did

publish a blog post with details, including a proof of concept

exploit. The exploit, once you see it, is pretty straightforward. The vulnerability has been

patched about two weeks ago, like end of March, a bi-length flow. However, they never quite

acknowledged it as a vulnerability. The root cause is a particular

API endpoint that's essentially not authenticated and that then allows for this remote code

execution where you essentially inject arbitrary Python code that's executed by Langflow.

Now, Langflow itself is a tool that's been used by GenDic AI, meaning that it's used to

essentially orchestrate different AI tools and then also tools that execute on what

the AI outputs.

...