A critical unpatched flaw in the open source Ray AI framework is being exploited by ShadowRay 2.0 to hijack NVIDIA GPU clusters worldwide.
A critical unpatched vulnerability (CVE-2023-48022, CVSS 9.8) in the open-source Ray AI framework is being actively exploited to convert NVIDIA GPU clusters into a globally self-spreading cryptomining botnet. Security analysts warn that easy-to-misconfigure Ray deployments are exposing AI compute infrastructure at massive scale.
The flaw persists due to a “long-standing design decision” that assumes Ray will operate only within isolated, trusted networks, without requiring authentication. However, more than 230,500 Ray servers are publicly accessible, creating a vast attack surface discoverable using the open-source utility interact.sh.
Codenamed ShadowRay 2.0, the campaign evolves previous attacks from September 2023 to March 2024. Threat actors exploit the unauthenticated Ray Job Submission API to submit malicious Bash and Python tasks, triggering spray-and-pray worm propagation across exposed dashboards.
The botnet uses XMRig to mine cryptocurrency while spreading laterally to internal nodes, creating reverse shells for remote control, and maintaining persistence with cron jobs that refresh every 15 minutes. The payload also terminates competing miners to maximise profits. Some code patterns indicate likely use of large language models in crafting the malware.
Stealth techniques include disguising malicious processes as Linux kernel services and capping CPU usage around 60%. A China-specific variant is also deployed.
Researchers Avi Lumelsky and Gal Elbaz note, “The threat actors have turned Ray’s legitimate orchestration features into tools for a self-propagating, globally cryptojacking operation, spreading autonomously across exposed Ray clusters.”
Compromised clusters have additionally been weaponised for denial-of-service attacks via sockstress, indicating a broader criminal monetisation strategy. Oligo Security said, “This transforms the operation from pure cryptojacking into a multi-purpose botnet… The target port 3333 is commonly used by mining pools.”
Ray’s developers at Anyscale have released a Ray Open Ports Checker and urge firewalling and authorisation for Dashboard port 8265 to prevent exposure.
