CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The move underscores the severity of these flaws and mandates immediate action from federal agencies to secure their systems against potential attacks.

What is the KEV Catalog?

The KEV catalog serves as a critical resource for organizations to prioritize remediation of vulnerabilities that are known to be exploited by malicious actors. When CISA adds vulnerabilities to this list, it indicates that these flaws are being actively exploited in real-world attacks, making them top priorities for security teams.

Langflow Vulnerability (CVE-2025-34291)

The first vulnerability added to the KEV catalog is CVE-2025-34291, a critical flaw in Langflow with a CVSS score of 9.4. This is an origin validation error vulnerability that could allow an attacker to execute arbitrary code and achieve full system compromise.

According to a report published by Obsidian Security in December 2025, this vulnerability exploits three combined weaknesses: overly permissive Cross-Origin Resource Sharing (CORS), lack of cross-site request forgery (CSRF) protection, and an endpoint that allows code execution by design.

"The impact is severe: successful exploitation not only compromises the Langflow instance but also exposes all sensitive access tokens and API keys stored within the workspace," Obsidian Security noted. "This can trigger a cascading compromise across all integrated downstream services in cloud and SaaS environments."

Further analysis by Ctrl-Alt-Intel in March 2026 revealed that the vulnerability has been exploited by the Iranian hacking group MuddyWater to obtain initial access to target networks. This attribution highlights the sophistication of the actors leveraging this vulnerability and the potential geopolitical implications of such attacks.

For organizations using Langflow, immediate remediation is critical. The vulnerability affects all versions prior to the patched release, and organizations should apply the available updates as soon as possible. Additionally, security teams should monitor for any signs of compromise, particularly unusual API activity or unauthorized access attempts.

Trend Micro Apex One Vulnerability (CVE-2026-34926)

The second vulnerability added to the KEV catalog is CVE-2026-34926, affecting on-premise versions of Trend Micro Apex One with a CVSS score of 6.7. This is a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.

Trend Micro confirmed that it "observed at least one instance of an attempt to actively exploit one of these vulnerabilities in the wild." The company clarified that this vulnerability is only exploitable on the on-premise version of Apex One and requires an attacker to have access to the Apex One Server and already obtained administrative credentials via some other method.

While the CVSS score is lower than the Langflow vulnerability, the real-world exploitation evidence makes it equally critical for affected organizations to address promptly. The potential for code injection in security software like Apex One is particularly concerning as it could undermine the very systems designed to protect an organization.

Federal Mandate and Timeline

In light of the active exploitation of both vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by June 4, 2026, to secure their networks. This deadline underscores the urgency of the situation and the importance of prioritizing these vulnerabilities in remediation efforts.

While the mandate applies specifically to federal agencies, the widespread exploitation of these vulnerabilities makes them critical priorities for all organizations using affected software. The timeline provides a clear deadline for organizations to assess their exposure and implement appropriate mitigations.

Practical Recommendations for Organizations

For organizations using Langflow or Trend Micro Apex One, several steps should be taken immediately:

1. Assess Exposure: Determine which versions of the affected software are in use across the organization and identify all instances that may be vulnerable.

2. Prioritize Patching: Apply available patches as soon as possible. For organizations with complex environments, consider implementing a phased approach to minimize disruption.

3. Implement Temporary Mitigations: If immediate patching isn't possible, implement compensating controls such as network segmentation, restricting access to vulnerable systems, and implementing additional monitoring.

4. Monitor for Compromise: Deploy enhanced monitoring to detect any signs of exploitation, particularly unusual system behavior, unexpected network traffic, or unauthorized access attempts.

5. Review Access Controls: Assess and strengthen access controls for affected systems, particularly for Trend Micro Apex One where administrative access is a prerequisite for exploitation.

6. Update Incident Response Plans: Ensure that incident response plans include specific procedures for addressing these vulnerabilities and potential compromises.

Broader Implications

The addition of these vulnerabilities to the KEV catalog highlights several important trends in the threat landscape:

• Supply Chain Attacks: Both vulnerabilities affect development tools and security software, illustrating the increasing focus on compromising development pipelines and security tools themselves.

• Exploitation of Multiple Weaknesses: The Langflow vulnerability combines multiple security flaws, demonstrating that attackers often chain vulnerabilities to achieve greater impact.

• Geopolitical Threat Actors: The attribution of the Langflow exploitation to MuddyWater, an Iranian hacking group, highlights the involvement of state-sponsored actors in exploiting critical vulnerabilities.

• Speed of Exploitation: The relatively short timeframe between the discovery of these vulnerabilities and their addition to the KEV catalog underscores how quickly vulnerabilities are being weaponized in the wild.

For security teams, these developments reinforce the importance of a proactive vulnerability management program that prioritizes not just critical vulnerabilities, but those that are actively being exploited. The KEV catalog serves as an essential resource for this prioritization, but organizations should also supplement it with threat intelligence from other sources to maintain comprehensive visibility into emerging threats.

As the threat landscape continues to evolve, organizations must remain vigilant in their security practices, regularly updating and patching systems, and maintaining robust monitoring and detection capabilities to identify and respond to potential exploitation attempts promptly.