A critical vulnerability in a popular AI agent framework is giving attackers a direct path into enterprise networks — and thousands of organizations may not even know they're exposed. Security researchers have confirmed that multiple hacking groups are actively exploiting OpenClaw, an AI agent framework previously known as MoltBot and ClawdBot, to deploy malicious payloads and steal sensitive credentials. With over 15,000 instances currently exposed online, this threat has moved well beyond proof-of-concept.
The attacks leverage CVE-2026-25253 (CVSS 8.8), a critical remote code execution vulnerability that requires nothing more than a malicious link to trigger. Threat actors affiliated with nation-state APT groups — including Kimsuky and APT28 — have been observed exploiting these flaws to pivot into corporate networks, exfiltrate API keys, and even steal cryptocurrency.
This article breaks down how the attacks work, what data is at risk, and what security teams must do immediately to reduce their exposure.
Understanding CVE-2026-25253 and the OpenClaw Attack Surface
OpenClaw's rapid enterprise adoption has outpaced security scrutiny. The framework's architecture relies heavily on WebSocket connections and token-based authentication — two components that attackers have learned to abuse with alarming efficiency.
One-Click Remote Code Execution via WebSocket Hijacking
CVE-2026-25253 carries a CVSS score of 8.8, placing it firmly in the critical severity tier. The vulnerability enables one-click remote code execution by tricking a user into clicking a malicious link. Once clicked, the attacker hijacks the victim's active WebSocket connection and uses it to execute arbitrary commands under the context of the running OpenClaw process.
What makes this particularly dangerous is the minimal interaction required. There is no need for the attacker to authenticate, brute-force credentials, or maintain persistent access beforehand. A single malicious link sent via phishing email or chat message is enough to achieve full system access.
Sensitive File Exfiltration Targets
Once inside, attackers move quickly to harvest high-value files that OpenClaw stores on disk. The most critical target is openclaw.json, which contains gateway tokens used to authenticate against connected services. Alongside it, device.json stores cryptographic keys that may be tied to crypto wallets or signing operations. Memory files expose user context, conversation history, and potentially corporate intelligence, while broader configuration files reveal API keys, internal endpoints, and service credentials.
Important: If your OpenClaw deployment stores any of these files in default locations, assume they are accessible to an attacker who achieves RCE. Rotate all credentials immediately after patching.
Additional Patched Vulnerabilities Still Pose Risk
Beyond CVE-2026-25253, researchers identified Server-Side Request Forgery (SSRF) and path traversal vulnerabilities that were recently patched. However, the presence of these flaws in production systems underscores a systemic issue: organizations running older OpenClaw versions remain exposed to multiple attack vectors simultaneously.
Table: OpenClaw Vulnerability Summary
| CVE / Flaw | Type | CVSS Score | Status | Impact |
|---|---|---|---|---|
| CVE-2026-25253 | Remote Code Execution | 8.8 | Active exploitation | Full system access |
| SSRF Flaw | Server-Side Request Forgery | Moderate | Patched | Internal network access |
| Path Traversal | File Access | Moderate | Patched | Sensitive file read |
Threat Actor Attribution: Kimsuky, APT28, and Opportunistic Groups
This isn't opportunistic scanning by low-skill attackers. Nation-state threat actors have identified OpenClaw as a high-value target, and their involvement raises the stakes significantly for enterprise defenders.
Kimsuky and APT28 Tactics
Kimsuky, a North Korean state-sponsored group, has historically targeted research institutions, think tanks, and cryptocurrency organizations. Their involvement in OpenClaw exploitation aligns with their known interest in crypto theft — particularly relevant given that device.json may contain cryptographic keys tied to digital assets. Once they obtain these keys, monetization is typically swift and untraceable.
APT28 (also known as Fancy Bear), attributed to Russian military intelligence (GRU), focuses on credential theft and long-term network persistence. Their use of OpenClaw exploits fits a well-documented pattern of targeting developer tools and AI infrastructure to gain footholds in corporate environments before moving laterally across internal systems.
Pivoting to Corporate Networks
After initial compromise, attackers don't stop at the OpenClaw instance. They use stolen gateway tokens and API keys to authenticate against connected enterprise services, move laterally through internal networks, and access cloud infrastructure tied to compromised API credentials. In several observed cases, attackers established persistence by planting backdoors directly within AI agent workflows — making detection significantly harder for defenders relying on traditional endpoint monitoring.
Pro Tip: Treat your AI agent framework with the same security posture as your identity provider. Compromise of OpenClaw can cascade into your entire connected infrastructure.
Table: Threat Actor Comparison
| Group | Attribution | Primary Goal | Relevant OpenClaw Target |
|---|---|---|---|
| Kimsuky | North Korea | Crypto theft, espionage | device.json, crypto keys |
| APT28 | Russia (GRU) | Credential theft, persistence | Gateway tokens, API keys |
| Opportunistic groups | Unknown | Financial gain | All exposed configurations |
Why 15,000+ Instances Are Exposed Online
The scale of exposure — more than 15,000 internet-facing OpenClaw instances — reflects a broader problem with how AI frameworks are being deployed in enterprise environments. Security controls that would be standard for databases or web applications are frequently absent for AI tooling, and the consequences are now playing out in real attacks.
Common Misconfigurations Enabling Attacks
Researchers identified several recurring patterns across exposed instances. Many deployments require no authentication to access the OpenClaw management interface, with default WebSocket ports left open to the public internet. Sensitive configuration files are frequently stored in web-accessible directories, and in the majority of cases reviewed, there is no network segmentation between the AI agent infrastructure and internal enterprise systems. Logging and monitoring were either absent or disabled entirely, leaving organizations with no visibility into exploitation activity.
The Enterprise Adoption Problem
OpenClaw's recent rebranding from MoltBot and ClawdBot suggests an evolving product with a rapidly growing user base. That growth is outpacing organizational security review cycles. NIST's Secure Software Development Framework (SSDF) and CIS Controls both emphasize that any new software deployment — particularly one with external connectivity — requires a dedicated security assessment before production use. AI frameworks are not exempt from this standard, yet they are routinely treated as low-risk developer tooling rather than the critical infrastructure they have become.
Table: Exposure Risk Assessment
| Configuration State | Risk Level | Likelihood of Compromise |
|---|---|---|
| Publicly exposed, unpatched | Critical | Very High |
| Publicly exposed, patched | High | High |
| Internal only, unpatched | High | Moderate |
| Internal only, patched | Low | Low |
| Air-gapped with access controls | Minimal | Very Low |
Immediate Remediation Steps for Security Teams
If your organization runs OpenClaw — under any of its previous names — you need to act now. Waiting for your next scheduled patch cycle is not an option given active exploitation in the wild.
Patch, Isolate, and Audit
The first priority is applying the latest OpenClaw patch addressing CVE-2026-25253 along with the SSRF and path traversal fixes. Simultaneously, remove any public internet exposure by placing all OpenClaw instances behind a VPN or zero-trust access gateway. Once access is restricted, rotate every credential stored in openclaw.json, device.json, and any related configuration files — assume these have already been read by an unauthorized party. Audit your access logs carefully for signs of exploitation, including unexpected WebSocket connections or unusual file access patterns, and use MITRE ATT&CK techniques T1071 (Application Layer Protocol) and T1552 (Unsecured Credentials) as detection guides.
Longer-Term Security Hardening
Beyond immediate remediation, organizations should enforce least-privilege access for all service accounts connected to OpenClaw and migrate secrets out of on-disk configuration files into a dedicated secrets manager. Regular penetration testing against AI agent infrastructure should become a standard practice, and deployments should align with ISO 27001 controls for access management and incident response. Treating AI frameworks with the same security rigor applied to identity systems is no longer optional — it is a baseline requirement.
Key Takeaways
- Patch immediately — CVE-2026-25253 (CVSS 8.8) enables one-click RCE and is actively exploited by multiple threat actor groups
- Rotate all credentials stored in OpenClaw configuration files, including gateway tokens and cryptographic keys
- Remove public exposure — over 15,000 internet-facing instances are actively targeted; restrict access through VPN or zero-trust controls
- Monitor for lateral movement — attackers use stolen tokens to pivot into broader corporate infrastructure after initial compromise
- Treat AI frameworks as critical infrastructure — apply the same security standards you use for identity and access management systems
- Audit your environment now — if your organization deployed MoltBot or ClawdBot in the past, verify whether those deployments were migrated to OpenClaw and whether they remain exposed
Conclusion
The active exploitation of OpenClaw is a clear signal that AI agent frameworks have become a serious attack surface — one that many organizations are not yet treating with appropriate urgency. Nation-state actors including Kimsuky and APT28 are already weaponizing CVE-2026-25253 to steal credentials, exfiltrate sensitive files, and pivot into enterprise networks. With more than 15,000 instances exposed online, the threat is both widespread and immediate.
Security teams must prioritize patching, credential rotation, and network isolation today. Going forward, any AI framework deployment should undergo the same security review process as other critical infrastructure. The organizations that act now will significantly reduce their exposure window — those that wait may find themselves managing a much larger incident.
Frequently Asked Questions
Q: What versions of OpenClaw are affected by CVE-2026-25253? A: All versions of OpenClaw prior to the patch addressing CVE-2026-25253 are considered vulnerable. Organizations that deployed the framework under its previous names — MoltBot or ClawdBot — should verify whether their installations were updated during rebranding or if they are running legacy versions still exposed to this flaw.
Q: How can I tell if my OpenClaw instance has already been compromised? A: Review your WebSocket connection logs for unexpected or unauthorized sessions, and check access logs for unusual read activity on openclaw.json and device.json. Any unexplained outbound connections from your OpenClaw host — particularly to unfamiliar external IPs — should be treated as a potential indicator of compromise and investigated immediately.
Q: Does applying the patch eliminate all risk from this vulnerability? A: Patching closes the CVE-2026-25253 vulnerability and the recently fixed SSRF and path traversal flaws, but it does not undo any damage from prior exploitation. You must also rotate all credentials, audit logs for signs of past compromise, and implement network controls to prevent future exposure regardless of patch status.
Q: Are there compliance implications for organizations affected by this vulnerability? A: Yes. Depending on your industry, exposure of sensitive data through this vulnerability may trigger notification requirements under GDPR, HIPAA, or PCI DSS. Organizations subject to SOC 2 should also assess whether the misconfiguration represents a control failure that requires disclosure to auditors or customers.
Q: What is the best long-term approach to securing AI agent frameworks like OpenClaw? A: Treat AI frameworks as critical infrastructure from the moment of deployment. This means conducting pre-deployment security assessments, storing secrets in a dedicated secrets manager, enforcing network segmentation, and aligning your controls with established frameworks such as NIST SSDF, CIS Controls, and ISO 27001. Regular penetration testing of AI agent infrastructure should also become a standard practice.