“`html
A significant security breach in the swiftly evolving “agentic AI” landscape has rendered countless personal and corporate AI assistants entirely vulnerable to the public internet.
Recent findings disclosed today by the SecurityScorecard STRIKE Threat Intelligence Team indicate that 15,200 instances of the widely-used OpenClaw framework (previously referred to as Moltbot) are susceptible to Remote Code Execution (RCE), enabling attackers to seize complete control over the host devices.
The STRIKE team’s investigation uncovered 42,900 distinct IP addresses operating exposed OpenClaw control panels across 82 nations. In contrast to regular web servers aimed for public accessibility, these are often individual workstations or cloud instances hosting AI agents that were mistakenly exposed due to insecure default configurations.
The primary dilemma arises from OpenClaw’s standard setup, which binds the service to 0.0.0.0:18789, listening on all network interfaces rather than the secure 127.0.0.1 (localhost) norm.
Consequently, users who implemented the tool for individual automation have unwittingly made their control panels visible to the entire internet.
“The calculation is straightforward: when you grant an AI agent unrestricted access to your device, you also provide that same access to anyone who can compromise it,” the STRIKE report highlights.
The vulnerability is amplified by the fact that 53,300 of the detected instances correspond to previous breach incidents, hinting that many of these agents are operating in environments that have already been infiltrated or marked for elevated-risk behavior.
Severe OpenClaw/Clawbot Vulnerabilities
The exposure is not merely a configuration blunder; it is intensified by three critical Common Vulnerabilities and Exposures (CVEs) found in older iterations of the software, which constitute the majority of deployments.
- CVE-2026-25253 (CVSS 8.8): A “1-click” RCE vulnerability. Attackers can construct a malicious link that, when clicked by the OpenClaw user, steals their authentication token and gives the attacker full dominion over the agent.
- CVE-2026-25157 (CVSS 7.8): An SSH command injection vulnerability in the macOS application, allowing arbitrary command execution via harmful project paths.
- CVE-2026-24763 (CVSS 8.8): A Docker sandbox breakout vulnerability that permits an agent to escape its containerized setting and access the host system through PATH manipulation.
Though fixes were issued in version 2026.1.29 on January 29, STRIKE’s data reveals that 78% of exposed instances are still operating older versions labeled as “Clawdbot” or “Moltbot,” rendering them defenseless against these vulnerabilities.
The compromise of an AI agent presents a distinct and heightened risk compared to conventional software vulnerabilities. Since agents are designed to act on behalf of the user—reading emails, managing infrastructure, and executing code—an attacker who gains control over an agent inherits those same privileges.
“Agentic AI does not create new categories of vulnerability. It inherits previous ones and amplifies their impact,” the researchers clarify. A compromised OpenClaw instance grants immediate access to sensitive directories, including ~/.ssh/ keys, AWS/cloud credentials, and authenticated browser sessions.
Attackers can leverage this access to pivot laterally into corporate networks, deplete cryptocurrency wallets, or impersonate the victim on platforms like Discord and Telegram.
The investigation also detected signs of advanced persistent threat (APT) groups, including Kimsuky and APT28, operating nearby these exposed instances.
Approximately 33.8% of the exposed infrastructure aligns with known threat actor activity, indicating that these tools are either utilized by attackers or deployed on systems already under their control.
The STRIKE team urges all OpenClaw users to take prompt action to safeguard their deployments. The primary mitigation measure is to update to version 2026.2.1 or later, which addresses the RCE vulnerabilities.
Essential defense measures include:
- Bind to Localhost: Confirm the configuration is set to
gateway.bind: "127.0.0.1"to avert external access. - Rotate Credentials: Treat all API keys and tokens stored within the agent as compromised and change them immediately.
- Use Secure Tunnels: For remote access, implement zero-trust tunnels such as Tailscale or Cloudflare Tunnel instead of exposing ports directly to the internet.
For security teams, STRIKE advises blocking port 18789 at the perimeter and monitoring for unusual outbound command-and-control (C2) traffic originating from internal workstations.
A live dashboard monitoring the exposure, termed “Declawed,” provides updates on the number of vulnerable instances every 15 minutes, offering the community a real-time view of the remediation efforts.
“`