SecurityScorecard discovered 42,900 OpenClaw AI agent control panels exposed to the internet with 15,200 vulnerable to remote code execution through three critical CVEs, granting attackers complete system access to credentials, API keys, and connected services. Meanwhile, threat actors hijacked the AgreeTo Outlook add-in through abandoned Vercel hosting infrastructure, deploying phishing kits that stole 4,000+ Microsoft account credentials plus credit card details. Axios disclosed CVE-2026-24985, a denial-of-service vulnerability in the popular HTTP client affecting millions of Node.js applications. Security researchers identified LTX Stealer, a sophisticated Node.js-based credential harvesting malware targeting browser passwords, cryptocurrency wallets, and authentication tokens. Fortinet patched multiple high-severity vulnerabilities including authentication bypasses and privilege escalation flaws across FortiManager, FortiAnalyzer, and FortiOS platforms.
These February 2026 incidents demonstrate converging supply chain and infrastructure threats. OpenClaw's default configuration binds to 0.0.0.0:18789, exposing control interfaces globally unless explicitly restricted. Approximately 78% of discovered instances run outdated versions labeled "Clawdbot" or "Moltbot" despite patches released January 29, 2026. The AgreeTo hijacking exploits Microsoft's one-time manifest validation—content changes after approval bypass re-review. Axios CVE-2026-24985 enables attackers to crash Node.js servers through malformed HTTP requests. LTX Stealer employs advanced evasion including VM detection, geofencing, and targeted credential harvesting. Fortinet's patches address vulnerabilities ranging from CVSS 7.0 to 8.6 affecting enterprise network management platforms.
This analysis examines verified technical details through vendor advisories, security research publications, and independent analysis. You'll understand attack mechanics across AI agent infrastructure, software supply chains, runtime vulnerabilities, and network appliances while implementing evidence-based defensive controls.
OpenClaw Mass Exposure: 42,900 AI Agents Accessible Globally
The Insecure Default Configuration Crisis
SecurityScorecard's STRIKE Threat Intelligence Team conducted internet-wide reconnaissance identifying 42,900 unique IP addresses hosting exposed OpenClaw control panels across 82 countries. The framework, formerly known as Clawdbot and Moltbot, enables autonomous AI agents executing tasks including messaging, file management, and external service integration on users' behalf. Default configurations bind services to 0.0.0.0:18789, listening on all network interfaces rather than localhost (127.0.0.1), broadcasting control panels to the entire internet.
The exposure grants unprecedented access to "agentic AI" infrastructure where compromised agents inherit all granted permissions. Attackers accessing OpenClaw instances obtain credentials stored in ~/.openclaw/credentials/ including API keys, OAuth tokens, and service passwords. Full filesystem access exposes SSH keys in ~/.ssh/ and browser profiles. Messaging platform integration enables identity impersonation sending messages as victims on Telegram, Discord, and WhatsApp. Financial automation capabilities allow cryptocurrency wallet drainage or authenticated browser session manipulation for banking access.
Important: Unlike traditional application vulnerabilities requiring exploitation, OpenClaw exposure results from misconfiguration. Many instances lack authentication entirely—attackers simply connect through exposed ports without passwords, exploiting insecure defaults users never hardened.
Triple CVE Vulnerability Stack
SecurityScorecard identified 15,200 instances vulnerable to three high-severity CVEs despite patches released January 29, 2026. CVE-2026-25253 (CVSS 8.8) enables one-click remote code execution where malicious links steal authentication tokens granting full agent control even when bound to localhost. CVE-2026-25157 (CVSS 7.8) exploits SSH command injection in macOS applications through maliciously crafted project paths executing arbitrary commands. CVE-2026-24763 (CVSS 8.8) permits Docker sandbox escape via PATH manipulation, allowing agents to break containerization accessing host systems.
Version fragmentation compounds risk. STRIKE data shows 40% of instances still identify as "Clawdbot Control" and 38.5% as "Moltbot Control"—outdated forks users rarely update. The ecosystem exhibits poor patch adoption despite public exploit code availability for all three vulnerabilities. Exposed deployments concentrate heavily in major cloud providers—45% on Alibaba Cloud with 37% in China—suggesting repeatable insecure deployment templates propagating misconfigurations at scale.
Risk Assessment by Exposure Type
| Exposure Factor | Affected Instances | Attack Complexity | Business Impact |
|---|---|---|---|
| Default 0.0.0.0 Binding | 42,900 | Low (port scanning) | Critical—unauthenticated access |
| CVE-2026-25253 RCE | 15,200 | Low (public exploits) | Critical—full system control |
| Prior Breach Correlation | 53,300 | N/A (already compromised) | Critical—active exploitation |
| Weak/No Authentication | ~30,000 estimated | Trivial (direct login) | Critical—immediate access |
Comprehensive Remediation Framework
Update all OpenClaw instances to version 2026.2.1 or later addressing RCE vulnerabilities. Modify configuration files setting gateway.bind to "127.0.0.1" preventing external network access. Rotate all credentials immediately—treat API keys, OAuth tokens, and service passwords stored within agents as compromised. Implement zero-trust tunnels like Tailscale or Cloudflare Tunnel for remote access instead of direct internet exposure.
Block port 18789 at network perimeters using firewall rules. Monitor for unusual outbound command-and-control traffic originating from internal workstations running AI agents. Deploy network segmentation isolating AI agent infrastructure from production systems. Implement least-privilege principles limiting agent permissions to minimum required functionality—avoid "god mode" configurations granting unrestricted system access.
Establish governance frameworks for AI agent deployment requiring security review before production use. Maintain asset inventory tracking all OpenClaw installations, versions, network exposure status, and granted permissions. Schedule regular security audits specifically targeting AI agent infrastructure often overlooked in traditional vulnerability management programs. Consider the "Declawed" dashboard (SecurityScorecard STRIKE) providing real-time visibility into global OpenClaw exposure trends updated every 15 minutes.
Pro Tip: The compromise of an AI agent carries amplified threat compared to traditional software vulnerabilities. Agents operate with legitimate authority making malicious activity appear normal, delaying detection and increasing impact. Treat every agent deployment as privileged identity management requiring equivalent security controls.
AgreeTo Outlook Add-In Hijacking: Supply Chain Attack Through Abandoned Infrastructure
The Subdomain Takeover Mechanism
Koi Security researchers disclosed the first documented malicious Microsoft Outlook add-in leveraging supply chain vulnerabilities to steal 4,000+ Microsoft account credentials plus credit card details. AgreeTo originally launched December 2022 as legitimate meeting scheduling functionality developed by independent publisher. Office add-ins function as URLs pointing to developer-hosted content loaded into Microsoft products through iframes—not standalone downloaded applications.
The developer hosted AgreeTo on Vercel infrastructure (outlook-one.vercel.app) but abandoned the project despite establishing user base. Crucially, the add-in remained listed on Microsoft's Office Add-in Store after abandonment. Threat actors claimed the orphaned Vercel subdomain gaining instant control over content displayed within victim Outlook sidebars without requiring new Microsoft approval.
Microsoft validates add-in manifest files (XML configuration) only at initial submission. AgreeTo's 2022 manifest passed security review granting "ReadWriteItem" permissions enabling email reading and modification. When hijacked, attackers replaced legitimate scheduling functionality with fake Microsoft sign-in pages, password collection forms, exfiltration scripts, and redirects—all served through the pre-approved add-in infrastructure.
Attack Chain Technical Analysis
Victims installing AgreeTo from Microsoft's marketplace loaded attacker-controlled content displaying fake Microsoft authentication prompts. The phishing kit collected usernames, passwords, and multi-factor authentication codes. Secondary pages harvested credit card numbers, CVV codes, expiration dates, and banking security answers. Exfiltration scripts transmitted stolen credentials to attacker infrastructure before redirecting victims to legitimate Microsoft services masking the compromise.
Attack Progression Timeline
| Stage | Attacker Action | User Experience | Microsoft Review |
|---|---|---|---|
| 2022 | Original AgreeTo developed | Legitimate scheduling tool | Manifest approved |
| Early 2026 | Developer abandons Vercel URL | Add-in continues functioning | No re-validation |
| Mid-Feb 2026 | Attacker claims outlook-one.vercel.app | Phishing kit deployed | No content review |
| Active | Victims install from Store | Fake login prompts appear | Manifest unchanged |
| Discovery | Koi Security identifies theft | 4,000+ credentials stolen | Add-in removed |
The Fundamental Trust Model Failure
Microsoft's add-in security model exhibits critical architectural weakness: one-time manifest validation without continuous content monitoring. Developers can change hosted content arbitrarily after approval without triggering re-review. The trust relationship breaks when infrastructure changes ownership—Microsoft validates the original publisher but cannot detect when different parties control content delivery.
This supply chain attack vector scales dangerously. Any add-in hosted on third-party infrastructure risks similar compromise if developers abandon domains, hosting subscriptions lapse, or DNS records expire. The Microsoft Store marketplace hosts hundreds of add-ins potentially vulnerable to identical subdomain takeover attacks. Organizations cannot distinguish compromised add-ins from legitimate ones through marketplace listings alone.
Enterprise Defense Strategies
Implement strict add-in governance policies requiring IT approval before installation. Maintain allowlists of vetted add-ins rather than permitting users to install arbitrary marketplace applications. Deploy Microsoft Defender for Office 365 with add-in monitoring detecting suspicious behavior patterns. Enable Conditional Access policies restricting add-in usage to managed devices meeting compliance requirements.
Audit installed add-ins across organizational tenants identifying those no longer actively maintained or using third-party hosting infrastructure. Review add-in permissions ensuring they match stated functionality—scheduling tools shouldn't require "ReadWriteItem" permissions granting full email access. Monitor authentication logs for unusual credential validation patterns potentially indicating phishing through compromised add-ins.
Educate users recognizing authentication prompts within add-in contexts. Legitimate Microsoft services rarely request credentials from within Outlook sidebars—such prompts warrant immediate security team notification. Implement phishing-resistant MFA methods like FIDO2 security keys or Windows Hello for Business reducing credential theft impact even when users submit passwords to fake forms.
Pro Tip: The AgreeTo incident demonstrates that Microsoft's marketplace presence doesn't guarantee ongoing security. Organizations must treat add-ins as third-party software requiring continuous risk assessment rather than trusting initial marketplace approval as permanent validation.
Axios and LTX Stealer: Node.js Ecosystem Under Attack
CVE-2026-24985: Denial-of-Service in HTTP Client
Axios, the widely-deployed HTTP client library for Node.js and browsers with over 30 million weekly npm downloads, disclosed CVE-2026-24985 enabling denial-of-service attacks through malformed HTTP requests. The vulnerability affects applications using Axios for server-side HTTP communications where attackers can craft requests triggering resource exhaustion or application crashes.
The flaw stems from improper handling of specific request configurations combined with error conditions. While technical exploitation details remain under coordinated disclosure, the attack complexity rates as low—attackers require only ability to influence HTTP request parameters processed by vulnerable Axios versions. Successful exploitation crashes Node.js servers disrupting service availability without requiring authentication or elevated privileges.
LTX Stealer: Advanced Node.js-Based Credential Theft
Security researchers identified LTX Stealer, sophisticated malware written in Node.js specifically targeting credential harvesting across browsers, cryptocurrency applications, and authentication systems. The stealer employs advanced evasion techniques including virtual machine detection, geographic targeting through IP geofencing, and anti-analysis mechanisms preventing security researcher inspection.
LTX Stealer exfiltrates browser-saved passwords from Chromium-based browsers, Firefox, and Edge. Cryptocurrency wallet targeting includes Exodus, Atomic, Electrum, and browser extension wallets like MetaMask. The malware harvests authentication tokens enabling persistent access without requiring password re-entry. Advanced capabilities include screenshot capture, system information fingerprinting, and installed software enumeration providing comprehensive victim profiling.
Node.js Threat Landscape Comparison
| Threat | Vector | Primary Target | Evasion Capability | Distribution Method |
|---|---|---|---|---|
| CVE-2026-24985 (Axios) | Vulnerability | Server availability | N/A (CVE) | Legitimate package |
| LTX Stealer | Malware | User credentials | High (VM detection, geofencing) | Trojanized apps, phishing |
| npm Typosquatting | Supply chain | Developer systems | Medium (obfuscation) | Fake packages |
| Malicious Dependencies | Supply chain | CI/CD pipelines | Low to Medium | Compromised packages |
Defense-in-Depth for Node.js Environments
Update Axios to patched versions immediately addressing CVE-2026-24985. Implement input validation on all HTTP request parameters preventing malformed data from reaching vulnerable libraries. Deploy application monitoring detecting abnormal resource consumption patterns indicating potential DoS attacks. Configure rate limiting and request throttling protecting against abuse even when vulnerabilities exist.
Deploy endpoint detection monitoring for Node.js-based malware execution patterns. LTX Stealer detection requires behavioral analysis—static signatures prove insufficient against polymorphic malware. Implement application allowlisting restricting execution to verified Node.js applications from trusted sources. Monitor for suspicious credential access patterns including rapid enumeration of browser password stores or cryptocurrency wallet files.
Audit npm dependencies using tools like npm audit, Snyk, or Socket.dev identifying known vulnerabilities and malicious packages. Implement Software Bill of Materials (SBOM) tracking for all Node.js applications enabling rapid vulnerability response when new CVEs emerge. Lock dependency versions in package.json preventing automatic updates introducing malicious code through compromised maintainer accounts.
Enable browser credential encryption where available reducing value of harvested password databases. Implement password manager policies encouraging unique credentials per service—credential theft from one application shouldn't compromise others. Deploy hardware security keys or passwordless authentication eliminating reliance on passwords vulnerable to stealer malware.
Fortinet High-Severity Vulnerabilities Across Enterprise Platforms
Multi-Platform Security Updates
Fortinet released February 2026 security updates addressing multiple high-severity vulnerabilities across FortiManager, FortiAnalyzer, and FortiOS platforms. The patches include authentication bypasses enabling unauthorized administrative access, privilege escalation flaws allowing attackers to gain elevated permissions, and denial-of-service vulnerabilities disrupting critical network security infrastructure.
FortiManager and FortiAnalyzer vulnerabilities pose particular concern given their centralized management role across enterprise Fortinet deployments. Compromise of these platforms grants attackers visibility and control across entire security infrastructure fleets. Authentication bypass vulnerabilities eliminate defensive barriers enabling unauthenticated remote attackers to access administrative interfaces without valid credentials.
Fortinet Vulnerability Overview
| Product | Vulnerability Type | CVSS Range | Attack Vector | Authentication Required |
|---|---|---|---|---|
| FortiManager | Authentication Bypass | 7.8-8.6 | Network | None (bypass) |
| FortiAnalyzer | Privilege Escalation | 7.0-7.8 | Local/Network | Low privileges |
| FortiOS | Multiple Classes | 7.2-8.2 | Network | Varies by CVE |
| FortiClient | Information Disclosure | 6.8-7.4 | Local | User level |
Prioritized Patching Framework
Deploy Fortinet security updates immediately across all affected platforms prioritizing internet-facing management interfaces and centralized control platforms. FortiManager and FortiAnalyzer warrant highest priority given their network-wide impact scope. Implement network segmentation isolating management interfaces from general user networks even after patching providing defense-in-depth.
Review authentication logs for suspicious access patterns potentially indicating prior exploitation attempts before patch deployment. Monitor for unauthorized administrative account creation, unusual configuration changes, or unexpected management interface sessions. Implement multi-factor authentication on all Fortinet administrative interfaces adding security layers beyond vulnerability patching.
Deploy intrusion detection systems monitoring for exploitation attempt signatures. While patches eliminate vulnerabilities, detection capabilities identify ongoing attack campaigns potentially targeting unpatched systems or zero-day vulnerabilities. Integrate Fortinet security advisories into vulnerability management workflows ensuring rapid awareness and response to future disclosures.
Conduct post-patch verification confirming successful update deployment and vulnerability remediation. Test critical functionality ensuring patches don't introduce compatibility issues with existing security policies or network configurations. Document patch deployment timelines establishing compliance with organizational SLA requirements and regulatory frameworks like PCI DSS requiring timely vulnerability remediation.
Key Takeaways
- Update all OpenClaw AI agent instances to version 2.0.2.1 and configure gateway.bind to "127.0.0.1" preventing internet exposure of 42,900 control panels across 82 countries vulnerable to remote code execution through CVE-2026-25253, CVE-2026-25157, and CVE-2026-24763
- Implement Microsoft Office add-in governance requiring IT approval before installation and audit existing add-ins for abandoned third-party hosting infrastructure susceptible to subdomain takeover attacks like the AgreeTo incident stealing 4,000+ credentials
- Patch Axios HTTP client to address CVE-2026-24985 denial-of-service vulnerability and deploy npm dependency scanning identifying malicious packages like LTX Stealer targeting browser credentials and cryptocurrency wallets through Node.js-based malware
- Apply Fortinet February 2026 security updates immediately addressing authentication bypass and privilege escalation vulnerabilities across FortiManager, FortiAnalyzer, and FortiOS platforms with CVSS scores ranging 7.0-8.6
- Rotate all credentials stored within OpenClaw agents treating API keys, OAuth tokens, SSH keys, and service passwords as compromised given 53,300 exposed instances correlate with prior breach activity
- Establish AI agent deployment governance requiring security review, asset inventory, least-privilege permission models, and zero-trust network access replacing direct internet exposure through insecure default configurations
Conclusion
The OpenClaw mass exposure, AgreeTo add-in hijacking, Axios denial-of-service vulnerability, LTX Stealer malware, and Fortinet security updates demonstrate converging threats across AI agent infrastructure, software supply chains, runtime libraries, and network appliances. SecurityScorecard's discovery of 42,900 exposed AI agents with 15,200 vulnerable to remote code execution reveals how insecure defaults enable mass compromise without sophisticated exploitation. The AgreeTo subdomain takeover exploits Microsoft's one-time manifest validation enabling supply chain attacks through abandoned infrastructure.
Axios CVE-2026-24985 threatens availability of millions of Node.js applications while LTX Stealer demonstrates credential harvesting sophistication in JavaScript-based malware. Fortinet's multi-platform vulnerabilities affecting centralized management infrastructure demonstrate persistent targeting of enterprise security products. Organizations face threats requiring immediate tactical response and fundamental architectural evolution.
Patch OpenClaw today before remote code execution enables complete system compromise. Implement add-in governance preventing supply chain attacks through marketplace applications. Update Axios and audit Node.js dependencies for malicious packages. Deploy Fortinet security patches before authentication bypass vulnerabilities enable management platform compromise. The convergence of AI agent misconfigurations, supply chain weaknesses, runtime vulnerabilities, and appliance flaws demonstrates modern security requires comprehensive defense-in-depth assuming any single layer will fail. Start with immediate remediation protecting against known threats, then construct governance frameworks preventing exploitation of inevitable future vulnerabilities.
Frequently Asked Questions
Q: How can organizations identify all OpenClaw instances deployed across their infrastructure?
A: Conduct network scans for port 18789 (default OpenClaw listening port) across all network segments including developer workstations, cloud instances, and container environments. Deploy asset discovery tools scanning for OpenClaw process names and configuration files in user home directories (~/.openclaw/). Query cloud provider APIs identifying instances with OpenClaw in startup scripts or container images. Implement endpoint detection and response (EDR) solutions inventorying running processes and installed applications across managed devices.
Q: What specific Microsoft add-in permissions should raise security concerns during review?
A: "ReadWriteItem" permissions grant full email reading and modification capabilities—excessive for basic productivity tools. "ReadWriteMailbox" provides broader mailbox access beyond individual items. "SendAs" or "SendOnBehalf" permissions enable message sending as user without explicit action. "CalendarsReadWrite" combined with external URL hosting creates calendar-based phishing vectors. Any add-in requesting permissions exceeding its stated functionality (e.g., note-taking apps requesting email access) warrants denial or additional security review before approval.
Q: How does the Axios CVE-2026-24985 denial-of-service attack technically function?
A: While full technical details remain under coordinated disclosure, the vulnerability stems from improper handling of malformed HTTP request configurations combined with error conditions in Axios's request processing pipeline. Attackers craft HTTP requests with specific parameter combinations triggering resource exhaustion through infinite loops, memory leaks, or unhandled exceptions causing Node.js process crashes. The attack requires only ability to influence HTTP request parameters—achievable through user input, API parameters, or upstream proxy manipulation in affected application architectures.
Q: What distinguishes LTX Stealer from traditional JavaScript-based malware?
A: LTX Stealer employs advanced evasion including virtual machine detection through hardware fingerprinting, geographic targeting via IP geofencing blocking analysis from security researcher locations, and anti-debugging mechanisms preventing dynamic analysis. The malware uses Node.js enabling cross-platform credential theft on Windows, macOS, and Linux systems. Sophisticated targeting focuses on cryptocurrency wallets and browser extension authentication rather than general file theft. Distribution through trojanized legitimate applications and social engineering reduces signature-based detection effectiveness.
Q: Why do Fortinet management platform vulnerabilities pose elevated risk compared to endpoint vulnerabilities?
A: FortiManager and FortiAnalyzer provide centralized control, monitoring, and configuration management across entire Fortinet security infrastructure deployments. Single vulnerability compromise grants attackers visibility into network topology, security policies, traffic patterns, and device configurations across organizational firewalls, VPNs, and security appliances. Authentication bypass vulnerabilities eliminate credential requirements enabling unauthenticated remote access. Attackers leveraging compromised management platforms can disable protections, exfiltrate traffic logs, and establish persistent backdoor access across entire security infrastructure fleets from single compromise point.