15,200 OpenClaw Control Panels with Full System Access Exposed to

Within the rapidly adopting “agentic AI” ecosystem, a critical security failure has left tens of thousands of personal and corporate AI assistants fully exposed to the public internet.

New research released today by the SecurityScorecard STRIKE Threat Intelligence Team reveals that 15,200 instances of the popular OpenClaw framework (formerly known as Moltbot) are vulnerable to Remote Code Execution (RCE), allowing attackers to take full control of the host machines.

The STRIKE team’s reconnaissance identified 42,900 unique IP addresses hosting exposed OpenClaw control panels across 82 countries. Unlike traditional web servers intended for public access, these are often personal workstations or cloud instances running AI agents that were inadvertently exposed due to insecure default settings.

The core issue stems from OpenClaw’s default configuration, which binds the service to 0.0.0.0:18789 listening on all network interfaces rather than the secure 127.0.0.1 (localhost) standard.

As a result, users who deployed the tool for personal automation have unknowingly broadcast their control panels to the entire internet.

“The math is simple: when you give an AI agent full access to your computer, you give that same access to anyone who can compromise it,” the STRIKE report notes.

The exposure is compounded by the fact that 53,300 of the identified instances correlate with prior breach activity, suggesting that many of these agents are running in environments that have already been compromised or flagged for high-risk behavior.

Critical OpenClaw/Clawbot Vulnerabilities

The exposure is not just a configuration error; it is exacerbated by three high-severity Common Vulnerabilities and Exposures (CVEs) found in older versions of the software, which make up the vast majority of deployments.

• CVE-2026-25253 (CVSS 8.8): A “1-click” RCE vulnerability. Attackers can craft a malicious link that, if clicked by the OpenClaw user, steals their authentication token and grants the attacker full control over the agent.
• CVE-2026-25157 (CVSS 7.8): An SSH command injection flaw in the macOS application, allowing arbitrary command execution via malicious project paths.
• CVE-2026-24763 (CVSS 8.8): A Docker sandbox escape vulnerability that allows an agent to break out of its containerized environment and access the host system via PATH manipulation.

While patches were released in version 2026.1.29 on January 29, STRIKE’s data indicates that 78% of exposed instances are still running older versions branded as “Clawdbot” or “Moltbot,” leaving them defenseless against these exploits.

The compromise of an AI agent poses a unique and amplified threat compared to traditional software vulnerabilities. Because agents are designed to act on behalf of the user reading emails, managing infrastructure, and executing code, an attacker who captures an agent inherits those same privileges.

“Agentic AI does not create new classes of vulnerability. It inherits old ones and amplifies their impact,” the researchers explain. A compromised OpenClaw instance provides immediate access to sensitive directories, including ~/.ssh/ keys, AWS/cloud credentials, and authenticated browser sessions.

Attackers can use this access to pivot laterally into corporate networks, drain crypto wallets, or impersonate the victim on platforms like Discord and Telegram.

The investigation also found evidence of advanced persistent threat (APT) groups, including Kimsuky and APT28, operating in proximity to these exposed instances.

Approximately 33.8% of the exposed infrastructure correlates with known threat actor activity, indicating that these tools are either being used by attackers or are deployed on infrastructure already under their control.

The STRIKE team urges all OpenClaw users to take immediate action to secure their deployments. The primary mitigation is to update to version 2026.2.1 or later, which addresses the RCE vulnerabilities.

Critical defense steps include:

• Bind to Localhost: Ensure the configuration is set to gateway.bind: "127.0.0.1" to prevent external access.
• Rotate Credentials: Treat all API keys and tokens stored within the agent as compromised and rotate them immediately.
• Use Secure Tunnels: For remote access, use zero-trust tunnels such as Tailscale or Cloudflare Tunnel instead of exposing ports directly to the internet.

For security teams, STRIKE recommends blocking port 18789 at the perimeter and monitoring for unusual outbound command-and-control (C2) traffic originating from internal workstations.

A live dashboard tracking the exposure, known as “Declawed,” provides updates on the number of vulnerable instances every 15 minutes, offering the community a real-time view of the remediation progress.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.