FortiGuard Outbreak Alert: Langflow Unauth RCE Attack

kcheung · ‎05-27-2025

Description

FortiGuard Labs have observed exploitation attempts of CVE-2025-3248 in Langflow.

Langflow is a Python-based application that allows users to visually build AI agents and workflows.

CVE-2025-3248 is an authentication bypass flaw that enables unauthenticated attackers to remotely execute arbitrary Python code by sending a crafted HTTP request to the vulnerable endpoint.

The following version of Langflow are vulnerable to CVE-2025-3248:

Version < 1.3.0

CVE ID   

CVE-2025-3248 (https://nvd.nist.gov/vuln/detail/CVE-2025-3248)

NDR Cloud Detection Rule

FortiNDR Cloud v25.2b+

Detection Rule Name	Category	Primary MITRE ID
FortiGuard Outbreak Alert: Langflow Unauthenticated Remove Code Execution - CVE-2025-3248	Attack : Exploitation	T1190 - Exploit Public-Facing Application

Playbook

N/A

Threat Hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “Langflow Unauth RCE Attack” related activities.
IOC source: https://www.fortiguard.com/outbreak-ioc?tag=Langflow%20Unauth%20RCE
All IOCs listed above have been added to Threat Intelligence Intel.

Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:

2061448 -> ET WEB_SPECIFIC_APPS Langflow AI Unauthenticated Remote Code Execution via Code Validation Endpoint (CVE-2025-3248)

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to:
https://www.fortiguard.com/outbreak-alert/langflow-unauth-rce

FortiGuard Outbreak Alert: Langflow Unauth RCE Attack

You are leaving our website