Tens of thousands of OpenClaw AI agents were left exposed online due to unsafe default settings and known software flaws.
Quick Summary – TLDR:
- Over 40,000 OpenClaw instances were found exposed to the public internet.
- At least 12,812 systems are vulnerable to full remote code execution (RCE) attacks.
- Leaked API keys, credentials, and full system control are among the biggest risks.
- Experts warn this highlights a wider security crisis in agentic AI infrastructure.
What Happened?
Researchers at SecurityScorecard’s STRIKE Threat Intelligence Team have discovered more than 40,000 exposed instances of OpenClaw, a popular agentic AI framework. These exposed systems are not only accessible to anyone online but also vulnerable to known critical exploits, with some already linked to active breaches.
Widespread Exposure of AI Control Panels
The root cause lies in dangerous default settings. OpenClaw, formerly known as Clawdbot and Moltbot, is built to act on behalf of users and carry out real-world tasks like sending messages or managing files. But by default, it binds to 0.0.0.0, allowing access from anywhere on the internet unless users manually change the configuration.
Researchers used favicon fingerprinting and internet-wide scans to detect over 42,900 IP addresses hosting OpenClaw panels across 82 countries. Of those, 28,663 unique IPs were confirmed to be running exposed agents.
Key findings from the investigation
- 15,200 OpenClaw control panels are publicly accessible without proper authentication.
- 63% of all deployments are classified as vulnerable.
- 12,812 instances are vulnerable to Remote Code Execution (RCE).
- 549 deployments are linked to prior breaches.
- 1493 instances are associated with known vulnerabilities.
Once compromised, an attacker can inherit the agent’s permissions, meaning they can:
- Access credentials: API keys, OAuth tokens, and saved passwords.
- .Steal SSH keys and browser profiles.
- Impersonate users on messaging apps like Discord, Telegram, or WhatsApp.
- Drain crypto wallets or manipulate banking sessions.
The Risk of Outdated Versions and Unsafe Defaults
SecurityScorecard highlights a major problem: version fragmentation. Around 40% of deployments still label themselves as “Clawdbot Control” and 38.5% as Moltbot, indicating older forks and outdated versions are still in use.
Despite patches being available for three known high-severity vulnerabilities (including CVE-2026-25253 with a CVSS score of 8.8), most users haven’t updated. Exploit code is publicly available, making it easy for attackers to take advantage of unpatched systems.
Many of these instances are also found on cloud platforms like AWS and Azure, suggesting that flawed deployment templates are being reused and spreading the vulnerability.
Indirect Prompt Injection and Leaked Credentials
On top of remote access threats, exposed OpenClaw agents are vulnerable to indirect prompt injection. This technique tricks the bot into following malicious instructions hidden in messages or web content, leading it to take unintended actions often without user awareness.
Some exposed control panels even leak API keys linked to third-party services, adding more fuel to the fire and increasing the potential impact.
Industry and Geographic Impact
OpenClaw’s security lapses are global in scope:
- Most exposed instances are found in China, followed by the United States and Singapore.
- The most affected sectors include:
- Information Services
- Technology
- Manufacturing
- Telecommunications
How to Fix It?
Experts recommend immediate action:
- Restrict access: Bind OpenClaw to 127.0.0.1 (localhost).
- Use strong passwords and change any defaults.
- Patch software to the latest version to close known vulnerabilities.
- Scan deployments with tools like Shodan.
- Firewalls and access controls should block public exposure.
- Cloud providers should review templates to stop unsafe configurations.
SQ Magazine Takeaway
I think this shows how powerful tools like OpenClaw come with huge risks when users skip basic security steps. You wouldn’t leave your front door open with your phone, wallet, and passwords inside but that’s basically what’s happening here. Agentic AI is exciting, but if developers and companies treat security like an afterthought, they’re giving cybercriminals the keys to the castle. We need to be smarter and secure these tools before the damage is done.
