Article Details

More than 135,000 OpenClaw instances exposed to internet in latest vibe-coded disaster. By default, the bot listens on all network interfaces, and many users never change it. It's a day with a name ending in Y, so you know what that means: Another OpenClaw cybersecurity disaster. This time around, SecurityScorecard's STRIKE threat intelligence team is sounding the alarm over the sheer volume of internet-exposed OpenClaw instances it discovered, which numbers more than 135,000 as of this writing. When combined with previously known vulnerabilities in the vibe-coded AI assistant platform and links to prior breaches, STRIKE warns that there's a systemic security failure in the open-source AI agent space.  "Our findings reveal a massive access and identity problem created by poorly secured automation at scale," the STRIKE team wrote in a report released Monday. "Convenience-driven deployment, default settings, and weak access controls have turned powerful AI agents into high-value targets for attackers."  For those unfamiliar with the saga of Clawdbot, er Moltbot, no, wait, OpenClaw (it keeps changing names), it's an open-source, vibe-coded agentic AI platform that has been, frankly, an unmitigated disaster for those worried about security. OpenClaw's skill store, where users can find extensions for the bot, is riddled with malicious software. Three high-risk CVEs have been attributed to it in recent weeks, and it's also been reported that its various skills can be easily cracked and forced to spill API keys, credit card numbers, PII, and other data valuable to cybercriminals.  Take a bunch of those already vulnerable instances and give them free rein to access the internet, as STRIKE has discovered happening around the world, and those problems are quickly magnified.  STRIKE's summary of the problem doesn't even do it justice, as the number of identified vulnerable systems has skyrocketed on its live OpenClaw threat dashboard since publication several hours before our story.   Take the aforementioned 135,000+ internet-facing OpenClaw instances - that number is as of our writing; when STRIKE published its report earlier today, that number was at just over 40,000. STRIKE also mentioned 12,812 OpenClaw instances it discovered being vulnerable to an established and already patched remote code execution bug. As of this writing, the number of RCE-vulnerable instances has jumped to more than 50,000. The number of instances detected that were linked to previously reported breaches (not necessarily related) has also skyrocketed from 549 to over 53,000, as has the number of internet-facing OpenClaw instances associated with known threat actor IPs.  In other words, this is nothing short of a disaster in the making, all thanks to a suddenly-popular AI tool vibe-coded into existence with little regard to the safety of its codebase or users.  That's not to say users aren't at least partially to blame for the issue. Take the way OpenClaw's default network connection is configured.  "Out of the box, OpenClaw binds to `0.0.0.0:18789`, meaning it listens on all network interfaces, including the public internet," STRIKE noted. "For a tool this powerful, the default should be `127.0.0.1` (localhost only). It isn't."  STRIKE recommends all OpenClaw users, at the very least, immediately change that binding to point it to localhost. Outside of that, however, SecurityScorecard's VP of threat intelligence and research Jeremy Turner wants users to know that most of the flaws in the system aren't due to user inattention to defaults. He told The Register in an email that many of OpenClaw's problems are there by design because it's built to make system changes and expose additional services to the web by its nature.  "It's like giving some random person access to your computer to help do tasks," Turner said. "If you supervise and verify, it's a huge help. If you just walk away and tell them all future instructions will come via email or text message, they might follow instructions from anyone." As STRIKE pointed out, compromising an OpenClaw instance means gaining access to everything the agent can access, be that a credential store, filesystem, messaging platform, web browser, or just its cache of personal details gathered about its user.  And with many of the exposed OpenClaw instances coming from organizational IP addresses and not just home systems, it's worth pointing out that this isn't just a problem for individuals mucking around with AI.  Turner warns that OpenClaw isn't to be trusted, especially in organizational contexts.  "Consider carefully how you integrate this, and test in a virtual machine or separate system where you limit the data and access with careful consideration," Turner explained. "Think of it like hiring a worker with a criminal history of identity theft who knows how to code well and might take instructions from anyone." That said, Turner isn't advocating for individuals and organizations to completely abandon agentic AI like OpenClaw - he simply wants potential users to be wary and consider the risks when deploying a potentially revolutionary new tech product that's rife with vulnerabilities.  "All these new capabilities are incredible, and the researchers deserve a lot of credit for democratizing access to these new technologies," Turner told us. "Learn to swim before jumping in the ocean." Or just stay out altogether - the ocean is terrifying.