Over 15,000 OpenClaw Control Panels Exposed, Granting Full System Access to Attackers
A significant security lapse has been uncovered in the OpenClaw framework, formerly known as Moltbot, which has led to over 15,000 instances being exposed to the public internet. This exposure allows unauthorized individuals to gain full control over affected systems, posing severe risks to both personal and corporate environments.
Discovery and Scope
The SecurityScorecard STRIKE Threat Intelligence Team conducted a comprehensive analysis and identified 42,900 unique IP addresses hosting exposed OpenClaw control panels across 82 countries. These instances are not traditional web servers but often personal workstations or cloud instances running AI agents. The inadvertent exposure is primarily due to insecure default settings within the OpenClaw framework.
Root Cause of Exposure
The core issue lies in OpenClaw’s default configuration, which binds the service to `0.0.0.0:18789`, listening on all network interfaces. This setting contrasts with the more secure `127.0.0.1` (localhost) standard. Consequently, users deploying the tool for personal automation have unintentionally made their control panels accessible to the entire internet. The STRIKE report emphasizes the gravity of this misconfiguration, stating, The math is simple: when you give an AI agent full access to your computer, you give that same access to anyone who can compromise it.
Compounding Vulnerabilities
The situation is further exacerbated by three high-severity Common Vulnerabilities and Exposures (CVEs) present in older versions of OpenClaw:
1. CVE-2026-25253 (CVSS 8.8): A 1-click Remote Code Execution (RCE) vulnerability. Attackers can craft a malicious link that, if clicked by the OpenClaw user, steals their authentication token and grants the attacker full control over the agent.
2. CVE-2026-25157 (CVSS 7.8): An SSH command injection flaw in the macOS application, allowing arbitrary command execution via malicious project paths.
3. CVE-2026-24763 (CVSS 8.8): A Docker sandbox escape vulnerability that allows an agent to break out of its containerized environment and access the host system via PATH manipulation.
Although patches were released in version 2026.1.29 on January 29, data indicates that 78% of exposed instances are still running older versions branded as Clawdbot or Moltbot, leaving them vulnerable to these exploits.
Implications of Compromised AI Agents
The compromise of an AI agent like OpenClaw presents unique and amplified threats compared to traditional software vulnerabilities. These agents are designed to perform tasks on behalf of the user, such as reading emails, managing infrastructure, and executing code. Therefore, an attacker who gains control over an agent inherits these privileges, leading to potential access to sensitive directories, including `~/.ssh/` keys, cloud credentials, and authenticated browser sessions. This access can be exploited to pivot into corporate networks, drain cryptocurrency wallets, or impersonate the victim on various platforms.
Evidence of Advanced Persistent Threats
The investigation also uncovered evidence of advanced persistent threat (APT) groups, including Kimsuky and APT28, operating in proximity to these exposed instances. Approximately 33.8% of the exposed infrastructure correlates with known threat actor activity, indicating that these tools are either being used by attackers or are deployed on infrastructure already under their control.
Mitigation Recommendations
To address this critical security issue, the following steps are recommended:
1. Immediate Patching: Users should upgrade to OpenClaw version 2026.1.29 or later to mitigate known vulnerabilities.
2. Configuration Review: Modify the default configuration to bind the service to `127.0.0.1` to restrict access to the local machine.
3. Access Controls: Implement robust authentication mechanisms and restrict access to the control panel to authorized users only.
4. Network Segmentation: Isolate AI agents from sensitive network segments to limit potential lateral movement by attackers.
5. Monitoring and Logging: Establish comprehensive monitoring and logging to detect unauthorized access attempts and respond promptly.
Conclusion
The widespread exposure of OpenClaw control panels underscores the critical importance of secure default configurations and timely patch management. As AI agents become increasingly integrated into personal and corporate environments, ensuring their security is paramount to prevent unauthorized access and potential exploitation by malicious actors.
