Campaign dubbed ShadowRay 2.0 exploits unpatched Ray AI framework flaw to install cryptominers
Take action: If you're running Ray AI framework servers, this is urgent. Immediately make sure your Ray AI servers are isolated from the public internet and only accessible from trusted internal networks. Hackers are actively exploiting it, and there's no patch available. Use Anyscale's Ray Open Ports Checker tool to check your exposure.
Learn More
A global campaign dubbed ShadowRay 2.0 is actively exploiting a critical vulnerability in the Ray open-source AI framework to hijack exposed clusters and convert them into a self-propagating cryptomining botnet. Developed by Anyscale, Ray is an open-source framework designed for building and scaling AI and Python applications in distributed computing ecosystems organized in clusters or head nodes
The security flaw is tracked as CVE-2023-48022 (CVSS score 9.8). Security company Oligo has observed that this malicious campaign extends beyond cryptocurrency mining to include data and credential theft, as well as distributed denial-of-service (DDoS) attacks, representing a multi-faceted threat to organizations deploying AI infrastructure.
The vulnerability is unpatched due to Ray's original design philosophy, which assumes deployment within a strictly controlled, trusted network environment without authentication requirements. Researchers discovered that more than 230,000 Ray servers are currently exposed on the public internet, a dramatic increase from the few thousand observed during the initial ShadowRay campaign that ran from September 2023 to March 2024.
Oligo researchers identified two distinct attack waves in the current campaign: one that abused GitLab for payload delivery and terminated on November 5, 2025, and an ongoing wave that has been using GitHub since November 17, 2025. The attacks exploit CVE-2023-48022 to submit unauthorized jobs to Ray's unauthenticated Jobs API, executing multi-stage Bash and Python payloads that abuse the platform's orchestration capabilities to deploy malware on all nodes and enable autonomous cluster-to-cluster spreading.
The malware deploys XMRig to mine Monero cryptocurrency and has evasion techniques, including limiting CPU usage to approximately 60% to avoid immediate detection. Miners are strategically placed in deceptive file locations and use fake process names such as 'dns-filter' to maintain a low profile. The attackers also ensure exclusive control by terminating competing mining scripts and blocking rival mining pools through modifications to /etc/hosts and iptables configurations.
Since no patch is available for CVE-2023-48022 due to the vendor's design decisions, Ray users have only the option to isolate the Ray servers in secure, trusted environments protected from unauthorized access. Anyscale has released a Ray Open Ports Checker tool to help organizations assess their exposure.
