CISA KEV: Langflow & Trend Micro Apex One Flaws

CISA has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: one affecting Langflow, the popular open-source AI workflow builder, and another hitting Trend Micro Apex One, a widely deployed enterprise endpoint security product. Both entries signal confirmed in-the-wild exploitation, which means threat actors are not waiting for proof-of-concept code. They already have it working.

What Are the Langflow and Trend Micro Apex One Vulnerabilities?

The Langflow flaw is tracked as CVE-2025-3248, a critical remote code execution vulnerability with a CVSS score of 9.8. The issue lives in the /api/v1/validate/code endpoint, which fails to properly sandbox user-supplied Python code before executing it on the server. An unauthenticated attacker can send a crafted request to that endpoint and run arbitrary commands with the privileges of the Langflow process. No authentication required. No complex chaining needed.

The Trend Micro Apex One vulnerability is a separate but equally serious issue. It allows attackers to escalate privileges locally on affected Windows endpoints. Combined with an initial foothold gained through phishing or another vector, this kind of privilege escalation flaw is exactly what ransomware operators use to move from a low-privileged user session to full system control before deploying payloads.

Why These Two Vulnerabilities Matter Right Now

Langflow has grown fast. Developers building AI pipelines, RAG applications, and LLM-powered workflows have adopted it heavily over the past year. That growth means a large, heterogeneous install base, and many of those deployments are exposed directly to the internet or accessible within internal networks that treat them as trusted infrastructure.

Apex One sits on enterprise endpoints across thousands of organizations. Security tooling that itself becomes a vector for compromise is a particularly painful category of vulnerability because security teams often delay patching security products out of fear of disrupting protection. Attackers know this pattern and actively target it.

CISA's KEV listing carries weight. Federal civilian agencies are required to remediate KEV entries within defined deadlines. For everyone else, a KEV listing is a strong signal that exploitation is real and widespread enough to warrant immediate action, not next sprint.

How Developers and Security Teams Should Respond

Patch immediately. Langflow users should upgrade to version 1.3.0 or later, which addresses CVE-2025-3248. Trend Micro has released patches for the Apex One privilege escalation flaw and published guidance through its security advisories portal.

If patching is not immediately possible for Langflow, restrict access to the API endpoint at the network layer. The /api/v1/validate/code endpoint should not be reachable from untrusted networks under any circumstances. Use a WAF or network ACL to block external access while you schedule the upgrade.

For Apex One, apply the vendor patch and audit local accounts and privilege assignments on affected endpoints. Check for signs of lateral movement or new scheduled tasks created around the time exploitation may have occurred.

Run your own applications through a DAST scanner to identify exposed API endpoints that accept and execute user-supplied code. Tools like VibeWShield can surface these kinds of dangerous input handling issues before attackers find them.

Review your patch management SLA for both AI tooling and security products. Both categories tend to get delayed. Both are high-value targets.

Keeping AI Tooling Patched in Your Pipeline

AI workflow tools like Langflow are often deployed quickly by engineering teams and then left running without the same patch scrutiny applied to production web applications. That needs to change. Any service that executes code, processes external input, or handles model outputs is an attack surface. Treat it accordingly.

Check the VibeWShield blog for deeper coverage on securing AI pipeline infrastructure.

What versions of Langflow are affected by CVE-2025-3248? All Langflow versions prior to 1.3.0 are vulnerable. The unauthenticated RCE exists in the code validation endpoint and requires no special permissions to exploit.

Does the Trend Micro Apex One vulnerability allow remote exploitation? The Apex One flaw is a local privilege escalation. An attacker needs an existing foothold on the endpoint first, but from there they can gain SYSTEM-level access without additional credentials.

How do I know if my Langflow instance was already compromised? Review server logs for unexpected POST requests to /api/v1/validate/code from external IPs. Look for unusual child processes spawned by the Langflow process and any new files written to the server filesystem around those timestamps.

Scan your web applications now for exposed endpoints and injection vulnerabilities at VibeWShield.