INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
U.S. CISA Adds Trend Micro Apex One Langflow Exploited Vulnerabilities
| 2026-05-22 09:13 CRITICAL HIGHExecutive Summary AI-generated
The threat landscape is rapidly evolving, with new vulnerabilities being exposed daily. A recent incident highlights the severity of CVE-2025-34291 and its potential to compromise sensitive access tokens and API keys stored within workspaces. This flaw can be exploited through directory traversal attacks, allowing attackers to execute arbitrary code and achieve full system compromise. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added Trend Micro Apex One and Langflow flaws to its Known Exploited Vulnerabilities catalog, emphasizing the need for immediate attention from federal agencies and private sector organizations alike.
Technical Mitigations AI-generated
* Implement secure coding practices: Ensure that developers and administrators follow secure coding guidelines, such as validating user input, using secure protocols (e.g., HTTPS), and implementing access controls to prevent unauthorized modifications or executions.
* Regularly update software and firmware: Keep all operating systems, applications, and firmware up-to-date with the latest security patches and updates to ensure that known vulnerabilities are addressed before they can be exploited by attackers.
* Use secure authentication mechanisms: Implement strong authentication protocols, such as multi-factor authentication (MFA), to prevent unauthorized access to sensitive areas of a system or network. Ensure that MFA is enabled for all users with elevated privileges.
* Monitor and respond to security incidents: Establish incident response plans to quickly identify, contain, and remediate security breaches in a timely manner. This includes having a clear understanding of the organization's incident response procedures and being able to communicate effectively with stakeholders during an incident.
* Implement access controls and segregation of duties (SoD): Ensure that users have only necessary permissions and privileges to perform their tasks, reducing the attack surface by limiting access to sensitive areas or data. Implement SoD policies to prevent a single individual from having too much control over critical systems or resources.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
MuddyWaterMuddyWater
CVE-2026-34926CVE-2026-34926
CVE-2025-34291CVE-2025-34291
Target & Sectors
Global Scope
Incident Timeline
December 2025
Threat actors used CVE-2025-34291 to compromise the Langflow instance, exposing all sensitive access tokens and API keys stored within the workspace.
Click on any entity below to view its context and source!
organisation
CVE-2025-34291
A report published by Obsidian Security back in December 2025 laid out exactly why CVE-2025-34291 is as dangerous as it sounds.
In a report published in December 2025, Obsidian Security said CVE-2025-34291 exploits three combined weaknesses: overly Permissive CORS, lack of cross-site request forgery (CSRF) protection, and an endpoint that allows code execution by design.
organisation
Obsidian Security
A report published by Obsidian Security back in December 2025 laid out exactly why CVE-2025-34291 is as dangerous as it sounds.
In a report published in December 2025, Obsidian Security said CVE-2025-34291 exploits three combined weaknesses: overly Permissive CORS, lack of cross-site request forgery (CSRF) protection, and an endpoint that allows code execution by design.
organisation
CVE-2025
In a report published in December 2025, Obsidian Security said CVE-2025-34291 exploits three combined weaknesses: overly Permissive CORS, lack of cross-site request forgery (CSRF) protection, and an endpoint that allows code execution by design.
organisation
API
“The impact is severe: successful exploitation not only compromises the Langflow instance but also exposes all sensitive access tokens and API keys stored within the workspace.
March 2026
Trend Micro Apex One was added to the Known Exploited Vulnerabilities catalog by CISA.
Click on any entity below to view its context and source!
source_region
Iran, Islamic Republic of
In March 2026, Ctrl-Alt-Intel
published a report
documenting active exploitation of CVE-2025-34291 by
MuddyWater
, an Iran-nexus APT group, which used the vulnerability to gain initial access to target networks.
"
The vulnerability has since been
exploited
by an Iranian state-sponsored hacking group named MuddyWater to obtain initial access to target networks, according to a Ctrl-Alt-Intel analysis published in March 2026.
vulnerability
CVE-2025-34291
In March 2026, Ctrl-Alt-Intel
published a report
documenting active exploitation of CVE-2025-34291 by
MuddyWater
, an Iran-nexus APT group, which used the vulnerability to gain initial access to target networks.
organisation
Ctrl-Alt-Intel
In March 2026, Ctrl-Alt-Intel
published a report
documenting active exploitation of CVE-2025-34291 by
MuddyWater
, an Iran-nexus APT group, which used the vulnerability to gain initial access to target networks.
threat_actor
MuddyWater
In March 2026, Ctrl-Alt-Intel
published a report
documenting active exploitation of CVE-2025-34291 by
MuddyWater
, an Iran-nexus APT group, which used the vulnerability to gain initial access to target networks.
"
The vulnerability has since been
exploited
by an Iranian state-sponsored hacking group named MuddyWater to obtain initial access to target networks, according to a Ctrl-Alt-Intel analysis published in March 2026.
organisation
APT
In March 2026, Ctrl-Alt-Intel
published a report
documenting active exploitation of CVE-2025-34291 by
MuddyWater
, an Iran-nexus APT group, which used the vulnerability to gain initial access to target networks.
organisation
CVE-2026-34926
When a nation-state actor is actively using something in real intrusions, the conversation shifts from “you should patch this” to “if you have not patched this, assume you may already have a problem.”
CVE-2026-34926
(CVSS score of 6.7) is a directory traversal flaw in on-premise Trend Micro Apex One that lets a local attacker modify server tables and inject malicious code to affected agents.
organisation
Trend Micro Apex One
When a nation-state actor is actively using something in real intrusions, the conversation shifts from “you should patch this” to “if you have not patched this, assume you may already have a problem.”
CVE-2026-34926
(CVSS score of 6.7) is a directory traversal flaw in on-premise Trend Micro Apex One that lets a local attacker modify server tables and inject malicious code to affected agents.
organisation
Trend Micro
Trend Micro has confirmed that CVE-2026-34926 is actively exploited in the wild.
organisation
Apex One
“This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability.”
May 22, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities catalog due to evidence of active exploitation.
Click on any entity below to view its context and source!
attribution
Known Exploited
Ravie Lakshmanan
May 22, 2026
Vulnerability / Cyber Attack
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday
added
two security flaws impacting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities (
KEV
) catalog, citing evidence of active exploitation.
tactic
T1588.006 - Vulnerabilities
Ravie Lakshmanan
May 22, 2026
Vulnerability / Cyber Attack
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday
added
two security flaws impacting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities (
KEV
) catalog, citing evidence of active exploitation.
attribution
KEV
Ravie Lakshmanan
May 22, 2026
Vulnerability / Cyber Attack
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday
added
two security flaws impacting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities (
KEV
) catalog, citing evidence of active exploitation.
attribution
Vulnerability / Cyber Attack
Ravie Lakshmanan
May 22, 2026
Vulnerability / Cyber Attack
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday
added
two security flaws impacting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities (
KEV
) catalog, citing evidence of active exploitation.
attribution
Langflow
Ravie Lakshmanan
May 22, 2026
Vulnerability / Cyber Attack
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday
added
two security flaws impacting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities (
KEV
) catalog, citing evidence of active exploitation.
2026/05/22
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Trend Micro Apex One and Langflow flaws to its Known Exploited Vulnerabilities catalog due to directory traversal vulnerabilities in on-premise versions of the software, which could allow attackers to inject malicious code into agents.
Click on any entity below to view its context and source!
organisation
CVE-2025
Below are the flaws added to the catalog:
CVE-2025-34291
Langflow Origin Validation Error Vulnerability
CVE-2026-34926
Trend Micro Apex One (On-Premise)
organisation
CVSS
Directory Traversal Vulnerability
CVE-2025-34291
(CVSS score of 9.4) is an origin validation error issue in Langflow, An attacker can exploit the flaw to execute arbitrary code and achieve full system compromise.
organisation
CVE-2025-34291
The vulnerabilities in question are listed below -
CVE-2025-34291
(CVSS score: 9.4) -
infrastructure
Windows
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
Windows Shell and ConnectWise ScreenConnect flaws to its
Known Exploited Vulnerabilities (KEV) catalog
.
organisation
CVE-2026-34926
CVE-2026-34926
(CVSS score: 6.7) -
organisation
Trend Micro
As for CVE-2026-34926, Trend Micro
said
it "observed at least one instance of an attempt to actively exploit one of these vulnerabilities in the wild.
organisation
Trend Micro Apex One
A directory traversal vulnerability in on-premise versions of Trend Micro Apex One that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.
organisation
API
"The impact is severe: successful exploitation not only compromises the Langflow instance but also exposes all sensitive access tokens and API keys stored within the workspace," the company
noted
at the time.
organisation
Apex One
"
"This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability," it added.
June 4, 2026
Threat actors used Trend Micro Apex One and Langflow to target Federal Civilian Executive Branch agencies.
Click on any entity below to view its context and source!
attribution
FCEB
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by June 4, 2026, to secure their networks.
attribution
Federal Civilian Executive Branch
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by June 4, 2026, to secure their networks.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
Windows Shell and ConnectWise ScreenConnect flaws to its
Known Exploited Vulnerabilities (KEV) catalog
.
Intelligence Sources
The Hacker News
2026-05-22
Security Affairs
2026-05-22
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-26T10:30
Comprehensive Tactical Telemetry
Highly Correlated Entities
11x
organisation
Identified Entity
Ctrl-Alt-Intel
entity
11x
attribution
Attributing Entity
The U.S. Cybersecurity and Infrastructure Security Agency
authority
5x
timeline
Temporal Reference
March 2026
date
2x
vulnerability
Exploited CVE
CVE-2025-34291
cve
2x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
2x
vulnerability
CVSS Score
9
score
Contextual Telemetry
Context Block
5 METRICS
source region
Origin Country
Iran, Islamic Republic of
country
threat actor
APT Group
MuddyWater
actor
infrastructure
Affected Product
Windows
software
general metric
Vulnerabilities
9
vulnerabilities
general metric
Cve-2026 Cvss Score
7
cve-2026 cvss score
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.