Security

Open-Source AI Framework API Flaw Enables Global Cryptojacking Botnet

Unauthenticated Remote Code Execution in the Ray API is being weaponized to steal premium cloud compute for a self-propagating, resource-draining cryptojacking operation.
November 19, 20253 min

The image presents an array of futuristic white and translucent blue mechanical components, appearing to connect or separate, with a vibrant blue light emanating from their central interface. These precisely engineered elements are positioned against a dark, blurred background, hinting at a complex, high-tech system in operation
The image showcases a high-tech modular system composed of white and metallic units, connected centrally by intricate mechanisms and multiple conduits. Prominent blue solar arrays are attached, providing an energy source to the structure, set against a blurred background suggesting an expansive, possibly orbital, environment

Briefing

A critical vulnerability in the Ray open-source AI framework’s API is under widespread, active exploitation, allowing threat actors to achieve unauthenticated Remote Code Execution (RCE). The primary consequence is the systemic compromise of enterprise and research cloud infrastructure, where attackers weaponize Ray’s legitimate resource orchestration features to install and manage a self-propagating cryptojacking botnet. Forensic analysis confirms the attackers are stealing premium compute resources, specifically high-value A100 GPU chips, to mine cryptocurrency, with the campaign observed to be ongoing since September 2024.

A detailed, angled shot presents a robust blue and silver device, enveloped by a dense layer of white foam bubbles. The central silver cylindrical component, with its precise machining and internal hexagonal structure, is clearly visible amidst the effervescence, contrasting with the smooth blue casing that bears subtle metallic lettering

Context

The prevailing risk factor in the open-source supply chain is the failure to enforce timely patching for known, critical vulnerabilities; this specific flaw was initially discovered in 2023, with public proof-of-concept code available since early 2025. This incident leverages the inherent complexity and wide-ranging access of AI/ML orchestration tools, which often run with excessive permissions on exposed cloud-hosted clusters, creating an ideal, high-value attack surface.

An abstract geometric composition features two luminous, faceted blue crystalline rods intersecting at the center, surrounded by an intricate framework of dark blue and metallic silver blocks. The crystals glow with an internal light, suggesting precision and value, while the structural elements create a sense of depth and interconnectedness, all set against a soft grey background

Analysis

The attack chain is initiated by exploiting an improperly secured API endpoint within the Ray framework that handles compute resource management. The core vulnerability is an eval injection bug, tracked as CVE-2025-24893, which allows an unauthenticated guest user to inject and execute arbitrary code through crafted requests to the search endpoint. Once RCE is achieved on the exposed Ray cluster, the threat actor utilizes the framework’s own features to deploy and orchestrate a covert cryptomining payload, effectively turning the victim’s high-end GPUs into a self-sustaining, distributed mining operation. The attackers employ techniques like CPU usage throttling and process disguising to evade detection while stealing premium compute resources.

A macro shot highlights a meticulously engineered component, encased within a translucent, frosted blue shell. The focal point is a gleaming metallic mechanism featuring a hexagonal securing element and a central shaft with a distinct keyway and bearing, suggesting a critical functional part within a larger system

Parameters

  • Vulnerability Type → Unauthenticated Remote Code Execution (RCE) via API flaw.
  • Affected System → Ray Open-Source AI Framework (versions before 15.10.11, 16.4.1, 16.5.0RC1).
  • Targeted Asset → Premium Cloud Compute Resources (e.g. A100 GPUs) for cryptomining.
  • Exploitation Status → Widespread and Active (spike observed November 7 and 11, 2025).
  • CVSS Score → 9.8 (Critical).

A central, gleaming, translucent blue 'X' shaped structure is sharply in focus, filled with effervescent liquid and numerous small white bubbles. Its intricate, segmented design features metallic edges, reflecting light and emphasizing internal channels

Outlook

Immediate mitigation requires administrators to apply the latest patches (15.10.11, 16.4.1, or 16.5.0RC1) and strictly enforce network segmentation to prevent external access to the Ray API endpoint. This exploit establishes a new security baseline, highlighting the critical contagion risk from the convergence of open-source AI/ML infrastructure and the cryptocurrency threat landscape, demanding that all projects running high-value compute adopt zero-trust security models and mandatory API authentication. The long-term risk involves the normalization of infrastructure-level cryptojacking as a primary financial attack vector.

A vibrant blue metallic, cross-shaped component, possibly an ASIC or validator node, is partially submerged in a dense layer of white foam. The intricate design of the object, featuring various slots and reflective surfaces, is accentuated by the delicate, bubbly texture clinging to its form

Verdict

This incident confirms that the greatest systemic risk is the weaponization of unpatched, high-privilege infrastructure components for persistent, resource-draining financial gain, demanding an immediate and global patch mandate for all exposed AI/ML clusters.

Remote code execution, Unauthenticated API access, Cryptojacking botnet, Supply chain attack, Open source vulnerability, Cloud compute theft, AI framework security, Resource orchestration flaw, Self-propagating malware, Enterprise security risk, Compute resource mining, Server cluster compromise, API endpoint vulnerability, Infrastructure attack vector, Unpatched server risk, Post-exploitation activity, Command and control, Lateral movement, Code execution vulnerability, Autonomous malware spread Signal Acquired from → cyberscoop.com

Micro Crypto News Feeds

remote code execution

Definition ∞ Remote Code Execution (RCE) is a type of cybersecurity vulnerability that allows an attacker to execute arbitrary code on a target computer system over a network.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

compute resources

Definition ∞ Compute resources are the processing power, memory, and storage capacity required to run digital operations.

code execution

Definition ∞ Code execution is the process by which a computer follows instructions written in a programming language.

framework

Definition ∞ A framework provides a foundational structure or system that can be adapted or extended for specific purposes.

compute

Definition ∞ Compute refers to the processing power and computational operations required to execute digital tasks.

infrastructure

Definition ∞ Infrastructure refers to the fundamental technological architecture and systems that support the operation and growth of blockchain networks and digital asset services.

risk

Definition ∞ Risk refers to the potential for loss or undesirable outcomes.

Tags:

Tags: