CISA Adds Langflow and Trend Micro Apex One Vulnerabilities to KEV Catalog
Executive Summary
On May 21, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2025-34291, an origin validation error in Langflow with a CVSS score of 9.4, and CVE-2026-34926, a directory traversal flaw in on-premise versions of Trend Micro Apex One with a CVSS score of 6.7. Both vulnerabilities have been actively exploited, with CVE-2025-34291 being leveraged by the Iranian state-sponsored group MuddyWater to gain initial access to target networks. (thehackernews.com)
The inclusion of these vulnerabilities in the KEV catalog underscores the persistent threat posed by state-sponsored actors and the critical need for organizations to promptly address known security flaws. Federal agencies are mandated to apply necessary fixes by June 4, 2026, highlighting the urgency of mitigating these risks to protect sensitive systems and data. (thehackernews.com)
Why This Matters Now
The active exploitation of these vulnerabilities by state-sponsored actors like MuddyWater highlights the immediate threat to organizations using Langflow and Trend Micro Apex One. Prompt remediation is essential to prevent potential system compromises and data breaches.
Attack Path Analysis
An attacker exploited a CORS misconfiguration in Langflow to hijack user sessions, escalated privileges by obtaining access tokens, moved laterally within the network, established command and control channels, exfiltrated sensitive data, and caused significant operational disruption.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited an overly permissive CORS configuration in Langflow, allowing cross-origin requests to include credentials and access the refresh endpoint.
Related CVEs
CVE-2025-34291
CVSS 8.8A chained vulnerability in Langflow up to version 1.6.9 allows account takeover and remote code execution due to overly permissive CORS configuration and insecure cookie settings.
Affected Products:
Langflow Langflow – <= 1.6.9
Exploit Status:
exploited in the wildCVE-2026-34926
CVSS 6.7A directory traversal vulnerability in Trend Micro Apex One (on-premise) allows a pre-authenticated local attacker to modify key tables and inject malicious code to deploy to agents.
Affected Products:
Trend Micro Apex One – on-premise versions
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Command and Scripting Interpreter
External Remote Services
Use Alternate Authentication Material
Application Layer Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer/Network Security
Critical vulnerability exploitation in Trend Micro Apex One endpoint security compromises security infrastructure, requiring immediate patching and enhanced monitoring capabilities.
Information Technology/IT
Active exploitation of Langflow and Trend Micro vulnerabilities threatens IT infrastructure through lateral movement and privilege escalation attack vectors.
Financial Services
CISA KEV additions indicate sophisticated threats targeting encrypted traffic and zero trust implementations critical for financial data protection compliance.
Health Care / Life Sciences
Vulnerability exploitation threatens HIPAA compliance through compromised endpoint security and potential data exfiltration via encrypted traffic manipulation techniques.
Sources
- CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEVhttps://thehackernews.com/2026/05/cisa-adds-exploited-langflow-and-trend.htmlVerified
- CVE-2025-34291 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-34291Verified
- Langflow <= 1.6.9 CORS Misconfiguration to Token Hijack & RCEhttps://www.vulncheck.com/advisories/langflow-cors-misconfiguration-to-token-hijack-and-rceVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit the CORS misconfiguration, thereby reducing the potential for lateral movement and data exfiltration.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the CORS misconfiguration may have been constrained, reducing unauthorized access to sensitive endpoints.
Control: Zero Trust Segmentation
Mitigation: The attacker's unauthorized access to authenticated endpoints could have been limited, reducing the risk of privilege escalation.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network would likely have been constrained, limiting access to other systems.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels may have been detected and disrupted, reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The exfiltration of sensitive data would likely have been restricted, reducing data loss.
The operational disruption caused by arbitrary code execution and malware deployment would likely have been limited, reducing overall impact.
Impact at a Glance
Affected Business Functions
- AI Workflow Management
- System Integration
Estimated downtime: 7 days
Estimated loss: $500,000
Access tokens and API keys stored within the Langflow workspace, potentially leading to further compromise of integrated services.
Recommended Actions
Key Takeaways & Next Steps
- • Implement strict CORS policies to prevent unauthorized cross-origin requests.
- • Enforce Zero Trust Segmentation to limit lateral movement within the network.
- • Utilize East-West Traffic Security to monitor and control internal traffic flows.
- • Deploy Egress Security & Policy Enforcement to detect and prevent unauthorized data exfiltration.
- • Establish Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious activities promptly.
