CVE-2023-48022 - Ray Framework Flaw Fuels ShadowRay 2.0 Botnet

CVE-2023-48022 is a critical authentication bypass in the Ray distributed AI framework that enables attackers to execute arbitrary commands through the unauthenticated Job Submission API, serving as the core driver behind the ShadowRay 2.0 self-propagating GPU cryptomining botnet. The flaw, originating from Ray’s design decision to rely on trusted isolated environments, affects exposed dashboards that allow remote command execution without verification. The ShadowRay 2.0 campaign weaponizes vulnerable Ray clusters—especially those with NVIDIA GPUs—and chains MITRE ATT&CK techniques including T1190 (Exploit Public-Facing Application), T1569.002 (System Services: Service Execution), and T1570 (Lateral Tool Transfer). This vulnerability has a CVSS score of 9.8 and represents one of the most high-impact threats for AI and HPC environments. Attackers compromise Ray nodes by submitting malicious jobs via the “/api/jobs/” endpoint, using reconnaissance scripts to stage multi-step payloads written in Bash and Python. The campaign, as detailed by Oligo Security, spreads worm-like across exposed clusters by abusing Ray’s orchestration features, GitHub/GitLab-hosted payloads, and automated re-infection cron jobs that pull the latest malware versions. Researchers also observed adversaries using region-aware logic—deploying China-specific variants—and employing techniques to evade detection through disguised kernel worker processes and throttled CPU usage. The cluster-to-cluster propagation reflects a systemic risk across AI infrastructure where misconfigured ports and unpatched orchestration tools enable rapid operational compromise. The business impact is severe: compromised Ray clusters deliver unrestricted access to sensitive AI workloads, model training pipelines, GPU compute environments, and internal data lakes. Organizations operating GPU-backed cloud workloads face operational disruption, cryptomining resource theft, lateral movement risk, and regulatory exposure under frameworks such as GDPR, HIPAA, and PCI-DSS if data is processed within infected clusters. Active exploitation has been confirmed, and the campaign has likely continued since late 2024. Mitigation requires immediate removal of public exposure for Ray dashboards, applying network segmentation around orchestration components, enforcing authentication on job submission endpoints, and deploying WAF policies to block command injection attempts. Organizations should audit for unauthorized cron jobs, unexpected GPU utilization, and suspicious outbound connections to attacker infrastructure. Long-term remediation involves upgrading Ray deployments, enforcing hardened orchestration practices, and isolating AI workloads through strict zero-trust controls.