CISA Expands KEV Catalog with Langflow and Apex One Exploits
The CISA KEV catalog has been updated to include two actively exploited flaws in Langflow and Trend Micro Apex One, significantly raising the stakes for organizations that rely on these platforms. The Langflow vulnerability, tracked as CVE-2025-34291 and rated 9.4 on the CVSS scale, stems from an origin validation error that can enable arbitrary code execution and full system compromise. The Apex One exploit, CVE-2026-34926 with a CVSS score of 6.7, is a directory traversal issue affecting on-premise deployments. While it requires prior administrative access to the Apex One server, it can be used to modify key tables and push malicious code to agents. With both vulnerabilities now formally recognized as industrial automation vulnerabilities of concern, security and compliance teams must treat remediation as a priority rather than a routine patch cycle task.
Why These Vulnerabilities Threaten Industrial Automation Environments
Langflow’s design as an orchestration layer for workflows and integrations makes CVE-2025-34291 especially dangerous in industrial automation environments. The flaw combines overly permissive CORS, missing CSRF protection, and a code-execution endpoint, allowing attackers to hijack the Langflow instance and harvest sensitive access tokens and API keys. This can trigger cascading compromise across cloud, SaaS, and operational systems connected to plant-floor or industrial control networks. Meanwhile, Trend Micro Apex One is widely used as a cornerstone of enterprise security infrastructure, including in industrial sectors. The Apex One exploit can weaponize trusted security agents, turning them into distribution channels for malicious payloads if an attacker already has administrative control of the server. Together, these weaknesses undermine both the orchestration layer and the protective perimeter that industrial operators depend on to maintain safety, uptime, and regulatory compliance.
Federal Patching Mandate and June 4 Deadline Explained
In response to confirmed in-the-wild exploitation, CISA has issued a federal patching mandate for these KEV-listed flaws. Federal Civilian Executive Branch agencies must apply the Langflow security patch and Trend Micro Apex One fixes by June 4, 2026, to remain compliant with binding operational directives. This deadline reflects the risk that compromised Langflow instances could expose downstream services and that a weaponized Apex One infrastructure could distribute code broadly within sensitive networks. Although the Apex One exploit currently requires prior administrative access to the server, CISA’s inclusion in the KEV catalog signals that exploitation paths are realistic and already being tested. Agencies that miss the deadline may face heightened scrutiny, mandatory risk mitigation reporting, and potential operational restrictions until compensating controls or patches are verified, making timely remediation a governance and audit priority.
Active Exploitation: From State-Aligned Threats to Enterprise Breach Risks
Evidence of active exploitation underscores why immediate action is essential. Security research has linked exploitation of Langflow’s CVE-2025-34291 to a state-sponsored group known as MuddyWater, which leverages the flaw for initial access into target networks. Once inside, attackers can pivot from compromised Langflow instances into cloud services, SaaS platforms, and potentially industrial automation systems that share credentials or API integrations. Trend Micro has also observed at least one attempted Apex One exploit in the wild, targeting on-premise servers. Even though CVE-2026-34926 requires an attacker to already possess administrative credentials, it provides a powerful method to convert the security platform into an attack propagation tool. For enterprises, especially those operating industrial environments, this turns a localized compromise into a potential enterprise-wide breach with significant operational implications.
Compliance Steps for Federal Contractors and Industrial Operators
Federal contractors and industrial operators supporting government environments should align their remediation plans with the federal patching mandate. First, inventory all Langflow instances, particularly those integrated with control systems, cloud, or SaaS services, and apply the latest Langflow security patch. Review CORS, CSRF, and code-execution endpoints to reduce exposure even after patching. Second, identify all on-premise Trend Micro Apex One servers, verify their patch levels, and deploy the vendor’s fixes for CVE-2026-34926. Because the Apex One exploit assumes prior administrative access, contractors should also harden credentials, audit administrative accounts, and monitor for unusual server or agent activity. Finally, document patching timelines, risk assessments, and compensating controls to demonstrate compliance for federal audits. Treat inclusion in the CISA KEV catalog as a clear signal that leaving these industrial automation vulnerabilities unpatched is no longer acceptable risk.