The IT Nerd

In a report published yesterday, SecurityScorecard’s STRIKE threat intelligence team identified a widespread exposure problem affecting the OpenClaw open-source, vibe-coded AI agent platform, with more than 135,000 instances of the software publicly exposed to the internet. This is in addition to previously known vulnerabilities in the platform.

   “Our findings reveal a massive access and identity problem created by poorly secured automation at scale. Convenience-driven deployment, default settings, and weak access controls have turned powerful AI agents into high-value targets for attackers,” the STRIKE team wrote in the report.

OpenClaw’s bot extensions “skill store” had three high-risk CVEs attributed to it in recent weeks, and it’s also been documented that its various skills can be cracked fairly easily exposing API keys, credit card numbers, PII, and other data valuable to cybercriminals. 

Just a few hours after publication of the report, as the number of internet-facing OpenClaw instances associated with known threat actor IPs increased, the number of identified vulnerable systems on STRIKE’s live OpenClaw threat Dashboard increased by 40,000, the number of RCE-vulnerable instances went from 12,812 to more than 50,000, the number of instances detected that were linked to previously reported breaches had gone from 549 to over 53,000.

Researchers recommend OpenClaw users immediately change the default network connection so it’s configured to point to a localhost. 

   “Out of the box, OpenClaw binds to `0.0.0.0:18789`, meaning it listens on all network interfaces, including the public internet. For a tool this powerful, the default should be `127.0.0.1` (localhost only). It isn’t,” STRIKE noted.

Ryan McCurdy, VP of Marketing, Liquibase:

   “This is what automation at scale looks like when controls lag behind speed. Teams are moving fast but security and governance have to start with safe defaults, tight network exposure, and auditable access. Otherwise, the first misconfiguration becomes a repeatable incident pattern.”

Michael Bell, Founder & CEO, Suzu Labs:

   “135,000 OpenClaw instances are listening on the public internet right now. Most have no authentication. Most are running versions with known RCE vulnerabilities and public exploit code. The platform binds to all network interfaces by default, and the numbers tell you how many users changed that setting.

   “We just saw the same fundamental problem with Claude Desktop Extensions last week. AI agent platforms keep shipping with full system access and no trust boundaries. OpenClaw is what that looks like at scale. 78% of exposed instances haven’t applied the critical patches from January 29. Some are running on infrastructure previously linked to Kimsuky, APT28, and Salt Typhoon. And this isn’t hobbyists in garages. STRIKE found exposed instances in financial services, healthcare, government, and education.

   “A privileged service account with no password on an internet-facing server would get someone fired. An AI agent with the same access level and the same exposure is somehow a feature.”

John Carberry, Solution Sleuth, Xcape, Inc.:

   “The widespread exposure of over 175,000 OpenClaw instances serves as a stark warning about the perils of “vibe-coded” AI agents that prioritize ease of use over fundamental security. By defaulting to a 0.0.0.0:18789 binding, OpenClaw effectively opened the door for the public Internet to engage with potent autonomous agents holding direct access to sensitive API keys and PII.

   “This “convenience-first” approach has generated a vast, automated attack surface, with over 50,000 instances now confirmed vulnerable to Remote Code Execution (RCE). The rapid increase in systems connected to known threat actor IPs, observed within hours of the SecurityScorecard report, indicates that cybercriminals are leveraging the same speed of automation for weaponization as developers used for deployment. What’s particularly alarming is how swiftly AI tools designed for convenience can lead to widespread access and identity breaches when basic safeguards are absent.

   “For security teams, immediate action is imperative: limit network exposure by configuring listening IP Addresses to only those required, revoke and reissue all potentially compromised keys and secrets, scan for misconfigurations using tools like Nuclei or Shodan, scrutinize skill extensions for vulnerabilities, implement Zero Trust principles for AI infrastructure, and operate under the assumption of compromise for systems with default configurations.

   “In the long run, SOC teams must manage AI agents with the same rigor as any other privileged infrastructure, implementing robust default security settings, continuous monitoring, and adherence to the principle of least privilege.

   “If you don’t vibe-code your defaults to localhost, hackers will vibe off your information. In short, don’t use these inherently flawed software.”

Vibe coding is a thing. But perhaps it shouldn’t be based on this. What are your thoughts on this? Please leave a comment and share what you think.