Threat actors are abusing Ray’s lack of authentication to compromise exposed clusters and deploy LLM-generated payloads and cryptocurrency miners.
November 19, 2025 By Ionut Arghire
Threat actors are exploiting a two-year-old vulnerability in the Ray AI framework in a fresh campaign that hit numerous clusters, Oligo reports.
Maintained by Anyscale, Ray is an open source framework for scaling Python-based AI and ML applications. Ray clusters can be deployed into the cloud to scale workloads, and should be secured and isolated in safe network environments, as the framework does not implement authentication.
The issue, tracked as CVE-2023-48022 (CVSS score of 9.8), allows remote, unauthenticated attackers to execute arbitrary code via the framework’s Jobs API.
Anyscale disputed the bug, pointing out that Ray’s documentation clearly states that clusters should not be used outside controlled network environments, but said last year it would implement login and authentication mechanisms in a future release.
