Security

Open-Source AI Framework API Flaw Enables Global Cryptojacking Botnet

Unauthenticated Remote Code Execution in the Ray API is being weaponized to steal premium cloud compute for a self-propagating, resource-draining cryptojacking operation.
November 19, 20253 min

The image displays an abstract arrangement of soft white, cloud-like masses, translucent blue geometric shapes, and polished silver rings. A textured white sphere, resembling a moon, is centrally placed among these elements against a dark blue background
An abstract geometric composition features two luminous, faceted blue crystalline rods intersecting at the center, surrounded by an intricate framework of dark blue and metallic silver blocks. The crystals glow with an internal light, suggesting precision and value, while the structural elements create a sense of depth and interconnectedness, all set against a soft grey background

Briefing

A critical vulnerability in the Ray open-source AI framework’s API is under widespread, active exploitation, allowing threat actors to achieve unauthenticated Remote Code Execution (RCE). The primary consequence is the systemic compromise of enterprise and research cloud infrastructure, where attackers weaponize Ray’s legitimate resource orchestration features to install and manage a self-propagating cryptojacking botnet. Forensic analysis confirms the attackers are stealing premium compute resources, specifically high-value A100 GPU chips, to mine cryptocurrency, with the campaign observed to be ongoing since September 2024.

The image displays a detailed blue metallic mechanism with a cluster of blue foam resting on its surface. This visual composition can be interpreted as representing the intricate architecture of blockchain protocols, where the foam symbolizes data or digital assets that are either being processed, secured, or potentially compromised within the network

Context

The prevailing risk factor in the open-source supply chain is the failure to enforce timely patching for known, critical vulnerabilities; this specific flaw was initially discovered in 2023, with public proof-of-concept code available since early 2025. This incident leverages the inherent complexity and wide-ranging access of AI/ML orchestration tools, which often run with excessive permissions on exposed cloud-hosted clusters, creating an ideal, high-value attack surface.

A futuristic white and metallic apparatus forcefully discharges a vivid blue liquid stream, creating dynamic splashes and ripples. The sleek, high-tech design suggests advanced engineering and efficient operation

Analysis

The attack chain is initiated by exploiting an improperly secured API endpoint within the Ray framework that handles compute resource management. The core vulnerability is an eval injection bug, tracked as CVE-2025-24893, which allows an unauthenticated guest user to inject and execute arbitrary code through crafted requests to the search endpoint. Once RCE is achieved on the exposed Ray cluster, the threat actor utilizes the framework’s own features to deploy and orchestrate a covert cryptomining payload, effectively turning the victim’s high-end GPUs into a self-sustaining, distributed mining operation. The attackers employ techniques like CPU usage throttling and process disguising to evade detection while stealing premium compute resources.

A stark white, cube-shaped module stands prominently with one side open, exposing a vibrant, glowing blue internal matrix of digital components. Scattered around the central module are numerous similar, out-of-focus structures, suggesting a larger interconnected system

Parameters

  • Vulnerability Type → Unauthenticated Remote Code Execution (RCE) via API flaw.
  • Affected System → Ray Open-Source AI Framework (versions before 15.10.11, 16.4.1, 16.5.0RC1).
  • Targeted Asset → Premium Cloud Compute Resources (e.g. A100 GPUs) for cryptomining.
  • Exploitation Status → Widespread and Active (spike observed November 7 and 11, 2025).
  • CVSS Score → 9.8 (Critical).

A futuristic, intricate mechanical structure, composed of metallic rings, springs, and layered elements in white, silver, and dark grey, encloses a vibrant, gradient cloud-like substance. This substance transitions from dense white at the top to deep blue at the bottom, suggesting dynamic movement within the core

Outlook

Immediate mitigation requires administrators to apply the latest patches (15.10.11, 16.4.1, or 16.5.0RC1) and strictly enforce network segmentation to prevent external access to the Ray API endpoint. This exploit establishes a new security baseline, highlighting the critical contagion risk from the convergence of open-source AI/ML infrastructure and the cryptocurrency threat landscape, demanding that all projects running high-value compute adopt zero-trust security models and mandatory API authentication. The long-term risk involves the normalization of infrastructure-level cryptojacking as a primary financial attack vector.

A sophisticated 3D rendering depicts a complex, spherical mechanism featuring interlocking white modular segments that encase a central volume teeming with translucent blue cubes. A smooth white cylindrical element traverses the core, adding to the structural integrity

Verdict

This incident confirms that the greatest systemic risk is the weaponization of unpatched, high-privilege infrastructure components for persistent, resource-draining financial gain, demanding an immediate and global patch mandate for all exposed AI/ML clusters.

Remote code execution, Unauthenticated API access, Cryptojacking botnet, Supply chain attack, Open source vulnerability, Cloud compute theft, AI framework security, Resource orchestration flaw, Self-propagating malware, Enterprise security risk, Compute resource mining, Server cluster compromise, API endpoint vulnerability, Infrastructure attack vector, Unpatched server risk, Post-exploitation activity, Command and control, Lateral movement, Code execution vulnerability, Autonomous malware spread Signal Acquired from → cyberscoop.com

Micro Crypto News Feeds

remote code execution

Definition ∞ Remote Code Execution (RCE) is a type of cybersecurity vulnerability that allows an attacker to execute arbitrary code on a target computer system over a network.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

compute resources

Definition ∞ Compute resources are the processing power, memory, and storage capacity required to run digital operations.

code execution

Definition ∞ Code execution is the process by which a computer follows instructions written in a programming language.

framework

Definition ∞ A framework provides a foundational structure or system that can be adapted or extended for specific purposes.

compute

Definition ∞ Compute refers to the processing power and computational operations required to execute digital tasks.

infrastructure

Definition ∞ Infrastructure refers to the fundamental technological architecture and systems that support the operation and growth of blockchain networks and digital asset services.

risk

Definition ∞ Risk refers to the potential for loss or undesirable outcomes.

Tags:

Tags: