Wednesday, May 7, 2025
HomeCyber AIHackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

Published on

SIEM as a Service

Follow Us on Google News

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across various sectors, including education, cryptocurrency, and biopharma.

This vulnerability, known as CVE-2023-48022, has been under active exploitation for the past seven months, allowing attackers to hijack computing power and leak sensitive data.

The Discovery of CVE-2023-48022: ShadowRay

Late in 2023, five unique vulnerabilities were disclosed to Anyscale, the developers of Ray, by cybersecurity entities Bishop Fox, Bryce Bearchell, and Protect AI.

- Advertisement - Google News

Anyscale addressed four of these vulnerabilities in Ray version 2.8.1, but the fifth, CVE-2023-48022, remains disputed and unpatched.

The Oligo team has dubbed this vulnerability “ShadowRay” due to its ability to evade static scans and lead to significant breaches.

AI environments are goldmines for attackers due to the sensitive information they contain, such as private intellectual property, third-party tokens, and access to company databases.

The high-powered machines used for AI models are also prime targets for their computing power.

The Oligo research team has uncovered an active attack campaign that has put thousands of servers at risk.

Meet Ray: The Affected Framework

Ray is a unified framework designed to scale AI and Python applications.

Anyscale maintains it and has garnered significant attention, with 30K stars on GitHub.

Large organizations like Uber, Amazon, and OpenAI use Ray in production for its scalability and efficiency.

Source: anyscale.com
Source: ray.io
Source: ray.io

The Exploitation of Ray Clusters

The lack of authorization in Ray’s Jobs API has been a critical point of exploitation.

Attackers with network access to the dashboard can invoke arbitrary jobs on the remote host without authorization.

Ray’s official Kubernetes deployment guide [10] and Kuberay’s Kubernetes operator encourage people to expose the dashboard on 0.0.0.0:

This oversight has led to the compromise of numerous publicly exposed Ray servers, with attackers leveraging the flaw for cryptocurrency mining and data theft.

The collective value of the compromised machines is staggering, with the potential worth nearing a billion USD.

Attackers are drawn to these machines not only for the sensitive information they can extract but also for the high value of the GPUs, which are in short supply and expensive.

A6000 GPUs from the machine above are out of stock on NVIDIA’s website
A6000 GPUs from the machine above are out of stock on NVIDIA’s website

The Common Thread: Crypto Miners

Oligo Research has identified patterns in the compromised clusters, suggesting that the same attackers targeted them.

Crypto-mining campaigns have been leveraging ShadowRay to install miners and reverse-shells, with some attackers reaching the top 5% of miners in certain pools.

XMRig crypto miner connected to Zephyr mining pool
XMRig crypto miner connected to Zephyr mining pool

In light of these findings, organizations using Ray are urged to review their environments for exposure and analyze any suspicious activity.

For more detailed information on the vulnerabilities and the steps taken by Anyscale, readers can refer to the blog posts by Bishop Fox, Bryce Bearchell, and Protect AI.

Ray users must be aware of the security aspects and common pitfalls associated with the framework.

As the battle between functionality and security continues, the Ray incident serves as a stark reminder of the importance of vigilance in the digital age.

The disputed nature of CVE-2023-48022 has not only highlighted the complexities of software development but also the critical need for robust security measures in protecting valuable AI infrastructure.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...