CISA confirmed active exploitation of two vulnerabilities on 21 May, requiring federal remediation by 4 June. The more operationally significant of the two — CVE-2026-34926 in Trend Micro Apex One — demonstrates a pattern adversaries are increasingly pursuing: exploiting security tooling itself to propagate through defended networks. The second, CVE-2025-34291 in the Langflow AI workflow platform, has been attributed to MuddyWater, an Iranian Ministry of Intelligence and Security (MOIS)-linked group, and points to growing adversary interest in AI pipeline infrastructure as an initial access vector.
CVE-2026-34926: Apex One as a Propagation Engine
Trend Micro Apex One On-Premise (2019, server and agent builds below 17079) contains a directory traversal vulnerability that allows an attacker with local access to manipulate file paths and modify a key configuration table on the Apex One management server. By injecting malicious code into that table, the attacker can cause the server to distribute the payload to every endpoint agent under its management.
The attack pattern is surgically effective: a single exploitation point on the management server translates directly into code execution across the entire managed fleet. Organisations with hundreds or thousands of Apex One-managed endpoints face potential simultaneous compromise from one server-side action. CISA’s confirmation of active exploitation means the theoretical capability is already being operationalised.
Affected environments span enterprise sectors broadly — Apex One is widely deployed across financial services, healthcare, telecommunications, and government organisations. A patch is available: organisations running affected builds should prioritise update to build 17079 or later. For deployments where immediate patching is operationally constrained, Trend Micro has issued workarounds addressing the specific traversal path; these should be applied as a temporary measure, not a substitute for patching.
CVE-2025-34291: MuddyWater Exploiting AI Workflow Infrastructure
The Langflow vulnerability stems from an origin validation error — an overly permissive CORS configuration combined with authentication cookies set as SameSite=None. The consequence is that a malicious webpage can initiate authenticated cross-origin requests on behalf of a logged-in user, enabling full account takeover and, because Langflow can execute workflow components, arbitrary remote code execution in the context of the platform.
Public reporting links active exploitation of CVE-2025-34291 to MuddyWater, which has used the flaw for initial access into target networks. MuddyWater has been active in 2026 targeting organisations across Europe and the Middle East, in some campaigns using ransomware to mask the underlying intelligence collection objective.
Langflow’s relevance extends beyond its user count. The platform is used to orchestrate AI agents and automate workflows — in enterprise deployments, it may have privileged access to internal APIs, data repositories, email and calendar systems, or productivity tooling. Compromise of a Langflow instance can therefore provide lateral movement pathways that are less visible than traditional network pivots.
What This Means for Affected Sectors
Financial services and professional services organisations using AI workflow automation (common in data analysis, compliance monitoring, and customer interaction pipelines) should treat exposed Langflow instances as priority attack surface. The MuddyWater attribution suggests espionage intent alongside operational disruption capability.
Healthcare and critical infrastructure organisations running Apex One at scale should assess their exposure immediately. The propagation mechanism — pushing malicious content through the endpoint agent update channel — is difficult to detect with standard network monitoring and may bypass application controls that treat Apex One traffic as trusted.
Recommended Actions
Apex One (CVE-2026-34926):
- Apply Trend Micro’s patch to server build 17079 or later without waiting for the next scheduled maintenance window
- If immediate patching is not possible, apply vendor-recommended workarounds and isolate the management server from untrusted network segments
- Review Apex One deployment logs from the past 30 days for anomalous agent update activity or configuration changes to key management tables
Langflow (CVE-2025-34291):
- Identify all Langflow deployments in your environment, including shadow IT instances stood up by development or data science teams
- Apply the available patch; if patching is delayed, restrict Langflow access to internal networks only and require VPN for all access
- Audit Langflow service account permissions — limit access to only the integrations the platform actually requires
- Review authentication logs for unusual cross-origin activity or unexpected API calls originating from Langflow service accounts
Federal agencies face a 4 June 2026 remediation deadline under BOD 22-01. Private sector organisations are strongly advised to treat both vulnerabilities on an equivalent timeline.