Due to a significant security breach, more than 15,200 OpenClaw AI control panels are now publicly accessible online, giving hackers complete remote control over users' systems. OpenClaw is an open-source framework for creating "agentic" AI autonomous bots that carry out everyday tasks like file management and message sending. It was formerly known as Clawdbot and Moltbot.

STRIKE Threat Intelligence from SecurityScorecard The team used internet-wide scans to find the problem. They identified roughly 42,900 IP addresses running OpenClaw panels in 82 countries using favicon fingerprinting, a technique that detects distinctive website icons. But what's the actual risk? By default, the program is bound to 0.0.0.0, which means it can listen for connections from any location on the internet, not just the local computer.

Because of this careless setup, anyone with simple tools can locate these panels.

Attackers can log in right away if users choose a weak password or forget to set one. Compromise of an OpenClaw agent results in action, as opposed to hacking a normal website, which might only result in data leaks. Attackers act with the victim's authority and inherit the bot's permissions.

What can hackers do or steal? Lots: Credentials: passwords, OAuth tokens, and API keys stored in the ~/.openclaw/credentials/ folder. System Files: Complete filesystem access, including saved browser profiles and SSH keys in ~/.ssh/. Impersonation: Use WhatsApp, Discord, or Telegram to send messages pretending to be the victim.

Financial Damage: Take over browser sessions for banking or empty cryptocurrency wallets. The issues mount. Remote Code Execution (RCE) vulnerabilities, such as CVE-2026-25253 (CVSS 8.8), affect more than 15,000 exposed panels.

A malicious link can easily steal authentication tokens thanks to this "1-click" bug. Even worse, risks are maintained by "version fragmentation." STRIKE discovered that 38.5% of cases were still classified as "Moltbot Control" and nearly 40% as "Clawdbot Control."

Users tend to stick with out-of-date forks and rarely update. Many use popular cloud services like AWS or Azure, where errors are widely dispersed by poor deployment templates. STRIKE emphasizes that this is about exposed infrastructure, not AI jargon like superintelligence. Attackers might use compromised agents to launch ransomware, create botnets, or steal identities.

How to Correct It Users need to move quickly: Open BindIn configuration files, claw to 127.0.0.1 (localhost only). Create secure, one-of-a-kind passwords. Patch CVEs and update to the most recent version. Use tools such as Shodan to search networks for exposed panels.

To prevent public access, use firewalls. Templates should be audited by cloud providers. Developers: Avoid dangerous defaults.

This vulnerability demonstrates how agentic AI has two sides: strong tools and broad attack surfaces in the event of improper configuration.