Executive Summary
On May 21, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-34291, an origin validation error in Langflow, and CVE-2026-34926, a directory traversal flaw in Trend Micro Apex One (on-premise). Both vulnerabilities have been actively exploited, posing significant risks to affected systems. (thehackernews.com)
The inclusion of these vulnerabilities in the KEV Catalog underscores the ongoing threat posed by unpatched software flaws. Organizations are urged to prioritize remediation efforts to mitigate potential exploitation and safeguard their systems against emerging cyber threats.
Why This Matters Now
The active exploitation of these vulnerabilities highlights the critical need for organizations to promptly address known security flaws to prevent potential breaches and system compromises.
Attack Path Analysis
An attacker exploits Langflow's CORS misconfiguration to hijack user sessions, escalating privileges to execute arbitrary code. They move laterally within the network, establish command and control channels, exfiltrate sensitive data, and disrupt services.
Kill Chain Progression
Initial Compromise
Description
The attacker exploits Langflow's overly permissive CORS configuration to perform cross-origin requests, obtaining access and refresh tokens from a victim's session.
Related CVEs
CVE-2025-34291
CVSS 8.8Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution due to an overly permissive CORS configuration combined with insecure cookie settings.
Affected Products:
Langflow Langflow – <= 1.6.9
Exploit Status:
exploited in the wildCVE-2026-34926
CVSS 6.7A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.
Affected Products:
Trend Micro Apex One – < 14.0.0.17079
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Command and Scripting Interpreter
Hijack Execution Flow
Exploitation of Remote Services
Impair Defenses
Remote Services
Inhibit System Recovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Access Controls and Identity Management
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity Management and Access Control
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical exposure to Langflow Origin Validation and Trend Micro vulnerabilities requiring immediate remediation of development platforms and security tools.
Computer/Network Security
Direct impact from Trend Micro Apex One directory traversal vulnerability compromising endpoint security solutions and enterprise protection infrastructure.
Government Administration
Federal agencies mandated under BOD 22-01 to remediate KEV catalog vulnerabilities by specified deadlines to protect civilian networks.
Information Technology/IT
Widespread vulnerability management practices must prioritize these active exploitation vectors affecting workflow automation and endpoint security systems.
Sources
- CISA Adds Two Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2026/05/21/cisa-adds-two-known-exploited-vulnerabilities-catalogVerified
- NVD - CVE-2025-34291https://nvd.nist.gov/vuln/detail/CVE-2025-34291Verified
- NVD - CVE-2026-34926https://nvd.nist.gov/vuln/detail/CVE-2026-34926Verified
- Trend Micro Apex One (On-Premise) Directory Traversal Vulnerabilityhttps://success.trendmicro.com/en-US/solution/KA-0023430Verified
- Langflow RCE Vulnerabilityhttps://www.sentinelone.com/vulnerability-database/cve-2025-34291/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit misconfigurations, limit lateral movement, and control data exfiltration, thereby reducing the overall impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit misconfigurations may have been constrained, reducing the likelihood of unauthorized token access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited, reducing the scope of unauthorized code execution.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network would likely have been constrained, limiting access to additional resources.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels may have been detected and disrupted, reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely have been restricted, minimizing data loss.
The overall impact of service disruption and data loss could have been mitigated, reducing operational downtime.
Impact at a Glance
Affected Business Functions
- System Administration
- Network Security
- Data Management
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of sensitive system configurations and user authentication tokens.
Recommended Actions
Key Takeaways & Next Steps
- • Implement strict CORS policies to prevent unauthorized cross-origin requests.
- • Enforce Zero Trust Segmentation to limit lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities.
- • Regularly update and patch systems to mitigate known vulnerabilities.
