A critical security oversight has left thousands of AI agents wide open to the public internet.
15,200 instances of the OpenClaw AI framework (formerly Clawdbot and Moltbot) are vulnerable to remote takeover.
The STRIKE team used internet-wide reconnaissance, including favicon fingerprinting, to identify approximately 42,900 unique IP addresses hosting OpenClaw control panels across 82 countries.
Unlike traditional web applications, these are autonomous agents designed to execute tasks on behalf of a user.
SecurityScorecard STRIKE Threat Intelligence Team reveals that the core issue is a dangerous default configuration.
By default, OpenClaw binds to 0.0.0.0, meaning it listens for connections from the entire internet rather than just the user’s local machine.
Consequently, anyone with an internet connection can locate these panels. If the user hasn’t set a strong password, or any password at all, an attacker can walk right in.
OpenClaw Control Panels Exposed
The risk here is unique to “agentic” AI. When an attacker compromises a standard web server, they gain access to data.
When they compromise an OpenClaw agent, they get action. They inherit the agent’s permissions and can operate with the victim’s authority.
The research highlights that compromising an instance gives attackers access to:
- Credentials: API keys, OAuth tokens, and service passwords stored in the ~/.openclaw/credentials/ directory.
- System Files: Full filesystem access, including SSH keys in ~/.ssh/ and browser profiles.
- Identity Impersonation: The ability to send messages as the victim on platforms like Telegram, Discord, or WhatsApp.
- Financial Assets: Automation that can drain crypto wallets or control authenticated browser sessions.
The exposure is compounded by severe software flaws. Over 15,000 of the exposed instances are vulnerable to Remote Code Execution (RCE).
This includes CVE-2026-25253 (CVSS 8.8), a “1-click” vulnerability in which a single malicious link can steal a user’s authentication token.
Complicating matters is “version fragmentation.” The ecosystem is littered with old forks of the software.
STRIKE’s data shows that nearly 40% of instances are still identified as “Clawdbot Control” and another 38.5% as “Moltbot Control,” indicating that users are rarely updating their software to safer versions.
The vulnerable instances are concentrated in major cloud providers, suggesting that insecure deployment templates are being replicated at scale.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
