Skip to main content
Security

Open-Source AI Framework API Flaw Enables Global Cryptojacking Botnet

Unauthenticated Remote Code Execution in the Ray API is being weaponized to steal premium cloud compute for a self-propagating, resource-draining cryptojacking operation.
November 19, 20253 min

A translucent, light blue, organic-shaped structure with multiple openings encloses a complex, metallic deep blue mechanism. The outer material exhibits smooth, flowing contours and stretched connections, revealing intricate gears and components within the inner structure
The image displays two large, rough, blue, rock-like forms partially covered in white, fluffy material, resting on a rippling blue water surface with white mist. A transparent, concentric ring structure emerges from the white material on the left blue form, propagating outwards

Briefing

A critical vulnerability in the Ray open-source AI framework’s API is under widespread, active exploitation, allowing threat actors to achieve unauthenticated Remote Code Execution (RCE). The primary consequence is the systemic compromise of enterprise and research cloud infrastructure, where attackers weaponize Ray’s legitimate resource orchestration features to install and manage a self-propagating cryptojacking botnet. Forensic analysis confirms the attackers are stealing premium compute resources, specifically high-value A100 GPU chips, to mine cryptocurrency, with the campaign observed to be ongoing since September 2024.

A central metallic rod extends horizontally, surrounded by numerous thin, flat, metallic silver strips radiating outwards. Behind these structured elements, a textured, amorphous mass of blue and white is visible, suggesting a cloud-like or porous material

Context

The prevailing risk factor in the open-source supply chain is the failure to enforce timely patching for known, critical vulnerabilities; this specific flaw was initially discovered in 2023, with public proof-of-concept code available since early 2025. This incident leverages the inherent complexity and wide-ranging access of AI/ML orchestration tools, which often run with excessive permissions on exposed cloud-hosted clusters, creating an ideal, high-value attack surface.

The image presents a detailed view of a translucent blue, intricately shaped component, featuring bright blue illuminated circular elements and reflective metallic parts. This futuristic design suggests a high-tech system, with multiple similar components visible in the blurred background

Analysis

The attack chain is initiated by exploiting an improperly secured API endpoint within the Ray framework that handles compute resource management. The core vulnerability is an eval injection bug, tracked as CVE-2025-24893, which allows an unauthenticated guest user to inject and execute arbitrary code through crafted requests to the search endpoint. Once RCE is achieved on the exposed Ray cluster, the threat actor utilizes the framework’s own features to deploy and orchestrate a covert cryptomining payload, effectively turning the victim’s high-end GPUs into a self-sustaining, distributed mining operation. The attackers employ techniques like CPU usage throttling and process disguising to evade detection while stealing premium compute resources.

The image presents an array of futuristic white and translucent blue mechanical components, appearing to connect or separate, with a vibrant blue light emanating from their central interface. These precisely engineered elements are positioned against a dark, blurred background, hinting at a complex, high-tech system in operation

Parameters

  • Vulnerability Type ∞ Unauthenticated Remote Code Execution (RCE) via API flaw.
  • Affected System ∞ Ray Open-Source AI Framework (versions before 15.10.11, 16.4.1, 16.5.0RC1).
  • Targeted Asset ∞ Premium Cloud Compute Resources (e.g. A100 GPUs) for cryptomining.
  • Exploitation Status ∞ Widespread and Active (spike observed November 7 and 11, 2025).
  • CVSS Score ∞ 9.8 (Critical).

A futuristic, intricate mechanical structure, composed of metallic rings, springs, and layered elements in white, silver, and dark grey, encloses a vibrant, gradient cloud-like substance. This substance transitions from dense white at the top to deep blue at the bottom, suggesting dynamic movement within the core

Outlook

Immediate mitigation requires administrators to apply the latest patches (15.10.11, 16.4.1, or 16.5.0RC1) and strictly enforce network segmentation to prevent external access to the Ray API endpoint. This exploit establishes a new security baseline, highlighting the critical contagion risk from the convergence of open-source AI/ML infrastructure and the cryptocurrency threat landscape, demanding that all projects running high-value compute adopt zero-trust security models and mandatory API authentication. The long-term risk involves the normalization of infrastructure-level cryptojacking as a primary financial attack vector.

The image displays a detailed blue metallic mechanism with a cluster of blue foam resting on its surface. This visual composition can be interpreted as representing the intricate architecture of blockchain protocols, where the foam symbolizes data or digital assets that are either being processed, secured, or potentially compromised within the network

Verdict

This incident confirms that the greatest systemic risk is the weaponization of unpatched, high-privilege infrastructure components for persistent, resource-draining financial gain, demanding an immediate and global patch mandate for all exposed AI/ML clusters.

Remote code execution, Unauthenticated API access, Cryptojacking botnet, Supply chain attack, Open source vulnerability, Cloud compute theft, AI framework security, Resource orchestration flaw, Self-propagating malware, Enterprise security risk, Compute resource mining, Server cluster compromise, API endpoint vulnerability, Infrastructure attack vector, Unpatched server risk, Post-exploitation activity, Command and control, Lateral movement, Code execution vulnerability, Autonomous malware spread Signal Acquired from ∞ cyberscoop.com

Micro Crypto News Feeds

remote code execution

Definition ∞ Remote Code Execution (RCE) is a type of cybersecurity vulnerability that allows an attacker to execute arbitrary code on a target computer system over a network.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

compute resources

Definition ∞ Compute resources are the processing power, memory, and storage capacity required to run digital operations.

code execution

Definition ∞ Code execution is the process by which a computer follows instructions written in a programming language.

framework

Definition ∞ A framework provides a foundational structure or system that can be adapted or extended for specific purposes.

compute

Definition ∞ Compute refers to the processing power and computational operations required to execute digital tasks.

infrastructure

Definition ∞ Infrastructure refers to the fundamental technological architecture and systems that support the operation and growth of blockchain networks and digital asset services.

risk

Definition ∞ Risk refers to the potential for loss or undesirable outcomes.

Tags:

Tags: