SecurityScorecard's STRIKE team scanned the internet and found 40,214 OpenClaw AI agent instances exposed to the public internet-many with full admin access, no authentication, and known vulnerabilities.

12,812 of them are vulnerable to Remote Code Execution. Attackers can take over the host machine completely.

549 instances correlate with prior breaches. 1,493 have known CVEs with public exploits available.

The kicker? OpenClaw binds to 0.0.0.0:18789 by default-meaning it listens on ALL network interfaces, including the public internet. For a tool that controls your computer, files, credentials, and messaging, the default should be localhost-only. It's not.

78% of exposed instances are running outdated versions with old branding (Clawdbot, Moltbot) from before critical security patches. Most are hosted on Alibaba Cloud (45%) and concentrated in China (37%).

When you compromise an OpenClaw instance, you don't just get data-you inherit everything the agent can do. SSH keys, browser sessions, API tokens, messaging impersonation, and filesystem access. It's like finding someone's unlocked phone, except the phone has root access to their entire digital life.

None

Threat Road | Alex from Threat Road | Substack

Infosec news that doesn't make you want to quit tech. Click to read Threat Road, by Alex from Threat Road, a Substack…

substack.com

If you're running OpenClaw:

  • Patch to v2026.2.1 or later immediately
  • Bind to localhost: set gateway.bind: "127.0.0.1" in config
  • Use Tailscale or VPN for remote access, NOT public exposure
  • Rotate all API keys and tokens (treat them as compromised)
  • Run openclaw security audit deep to check your setup

Everyone else:

  • Block port 18789 at your network perimeter
  • Inventory AI agent deployments in your environment
  • Treat AI agents as privileged identities, not toys
  • Never run agent frameworks with root/admin privileges
  • Use zero-trust tunnels (Cloudflare, Tailscale) instead of exposing ports

Out-of-the-box insecure defaults + rapid adoption = mass compromise waiting to happen.

The AI industry is building agents that can "actually do things" instead of just chatting.

But we're giving these systems filesystem access, command execution, and identity delegation without proper security controls.

40,000+ exposed instances isn't a niche problem-it's a systemic failure in how AI agents are being deployed. This is the cloud console exposure crisis all over again, except now it's conversational.

- Alex

P.S. — SecurityScorecard built a live dashboard tracking OpenClaw exposures updated every 15 minutes: declawed.io. Check if your infrastructure is exposed.

Originally published at https://threatroad.substack.com.