Threat actors have demonstrated just how quickly they operate today after exploiting a critical open source vulnerability within 20 hours, working only from the advisory description.
The bug, CVE-2026-33017, is an unauthenticated remote code execution (RCE) vulnerability in Langflow – an open-source visual framework for building AI agents and retrieval-augmented generation (RAG) pipelines.
Given a CVSS score of 9.3, it allows attackers to execute arbitrary Python code on exposed Langflow instances, with no credentials required and only a single HTTP request.
Sysdig revealed in a blog post it had observed threat actors exploit the CVE within a day, despite the fact that no public proof-of-concept (PoC) code existed.
“Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances,” said Sysdig. “Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise.”
Sysdig said that CVE-2026-33017 is a particularly attractive target for exploitation as no authentication is required, there are plenty of exposed Langflow instances, and exploitation is relatively easy.
Timeline of Exploitation Events
Sysdig said its honeypots observed the following malicious activity, following likely development of the exploit 20 hours after the CVE advisory was published on March 17:
- Automated scanning of infrastructure from four source IPs, all sending the same payload, and therefore likely coming from the same attacker
- Custom Python exploit scripts ready to be delivered via a stage-2 dropper, indicating the attacker had a prepared exploitation toolkit
- Credential harvesting, including databases, API keys, cloud credentials, and configuration files
Sysdig cited figures from the Zero Day Clock initiative which revealed that median time-to-exploit (TTE) collapsed from 771 days in 2018 to just hours in 2024. It said that, by 2023, 44% of exploited vulnerabilities were weaponized within 24 hours of disclosure, and 80% of public exploits appeared before the official advisory was published.
“This timeline compression poses serious challenges for defenders. The median time for organizations to deploy patches is approximately 20 days, meaning defenders are exposed and vulnerable for far too long,” Sysdig warned.
“Threat actors are monitoring the same advisory feeds that defenders use, and they are building exploits faster than most organizations can assess, test, and deploy patches. Organizations must completely reconsider their vulnerability programs to meet reality.”
The report chimes with a study from Rapid7 published this week which revealed that the median time between publication of a vulnerability and its inclusion on CISA’s Known Exploited Vulnerabilities (KEV) catalog dropped from 8.5 days to five days over the past year. Mean time dropped from 61 days to 28.5 days, Rapid7 warned.
