CVE-2023-48022
published 2023-11-28CVE-2023-48022: Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
81.51%
99.6th percentile
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anyscale | ray | — | — |
| anyscale | ray | — | — |
| anyscale | ray | >= 0 < 2.8.1 | 2.8.1 |
| anyscale | ray | 0 – 2.49.2 | — |
| anyscale | ray | 2.9.3 – 2.40.0 | — |
| ray-project | ray-project_ray | unspecified – latest | — |
Detection & IOCsextracted from sources · hover to see the quote
domainironern440-group
domainthisisforwork440-ops
sigma↗
regex("uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)", body)- →Monitor for unauthenticated POST requests to /api/jobs/ on Ray Dashboard port 8265; successful exploitation returns HTTP 200 with JSON body containing 'logs' key and uid/gid output. ↗
- →Detect Ray cluster compromise by hunting for cron jobs executing every 15 minutes that pull payloads from GitHub repositories. ↗
- →Detect Sockstress-based DDoS tool deployment on compromised Ray nodes; it exploits asymmetric resource consumption by opening large numbers of TCP connections through raw sockets. ↗
- →Detect /etc/hosts and iptables modifications used to block rival mining pools on compromised Ray cluster nodes. ↗
- →Use Shodan/FOFA queries for Ray Dashboard exposure: http.favicon.hash:463802404 or http.html:"ray dashboard" to identify internet-exposed Ray instances. ↗
- →Investigate Python reverse shells opened to attacker infrastructure from Ray cluster nodes for interactive control and data exfiltration of MySQL credentials, AI models, and source code. ↗
- →Check Point IPS signature available: 'Anyscale Ray Remote Code Execution (CVE-2023-48022)' for network-level detection. ↗
- ·Customers at Ray version 2.52.0 and later can optionally enable token authentication as a defense-in-depth measure. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Withdrawn Advisory: Command injection in Ray
osv·2025-02-12·CVSS 9.8
CVE-2024-57000 [CRITICAL] Withdrawn Advisory: Command injection in Ray
Withdrawn Advisory: Command injection in Ray
# Withdrawn Advisory
This advisory is a duplicate of GHSA-6wgj-66m2-xxp2 / CVE-2023-48022.
# Original Description
An issue in Anyscale Inc Ray between v.2.9.3 and v.2.40.0 allows a remote attacker to execute arbitrary code via a crafted script.
GHSA
Withdrawn Advisory: Command injection in Ray
ghsa·2025-02-12·CVSS 9.8
CVE-2024-57000 [CRITICAL] CWE-94 Withdrawn Advisory: Command injection in Ray
Withdrawn Advisory: Command injection in Ray
# Withdrawn Advisory
This advisory is a duplicate of GHSA-6wgj-66m2-xxp2 / CVE-2023-48022.
# Original Description
An issue in Anyscale Inc Ray between v.2.9.3 and v.2.40.0 allows a remote attacker to execute arbitrary code via a crafted script.
OSV
Ray has arbitrary code execution via jobs submission API
osv·2023-11-28
CVE-2023-48022 [CRITICAL] Ray has arbitrary code execution via jobs submission API
Ray has arbitrary code execution via jobs submission API
Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment.
GHSA
Ray has arbitrary code execution via jobs submission API
ghsa·2023-11-28
CVE-2023-48022 [CRITICAL] CWE-829 Ray has arbitrary code execution via jobs submission API
Ray has arbitrary code execution via jobs submission API
Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment.
GHSA
Ray Missing Authorization vulnerability
ghsa·2023-11-16
CVE-2023-6020 [CRITICAL] CWE-598 Ray Missing Authorization vulnerability
Ray Missing Authorization vulnerability
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
GHSA
Ray Path Traversal vulnerability
ghsa·2023-11-16
CVE-2023-6021 [CRITICAL] CWE-22 Ray Path Traversal vulnerability
Ray Path Traversal vulnerability
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
OSV
Ray Path Traversal vulnerability
osv·2023-11-16
CVE-2023-6021 [CRITICAL] Ray Path Traversal vulnerability
Ray Path Traversal vulnerability
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
OSV
Ray Missing Authorization vulnerability
osv·2023-11-16
CVE-2023-6020 [CRITICAL] Ray Missing Authorization vulnerability
Ray Missing Authorization vulnerability
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
VulnCheck
anyscale ray Server-Side Request Forgery (SSRF)
vulncheck·2023·CVSS 9.8
CVE-2023-48022 [CRITICAL] anyscale ray Server-Side Request Forgery (SSRF)
anyscale ray Server-Side Request Forgery (SSRF)
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)
Affected: anyscale ray
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild; https://dashboard.shadowserver.org/statistics/
Red Hat
ray: Ray Job Submission Arbitrary Code Execution
vendor_redhat·2025-08-07·CVSS 9.8
CVE-2023-48022 [CRITICAL] CWE-918 ray: Ray Job Submission Arbitrary Code Execution
ray: Ray Job Submission Arbitrary Code Execution
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)
A flaw was found in ray. The job submission API allows a remote attacker to execute arbitrary code due to insufficient input validation. An unauthenticated attacker can trigger this vulnerability by sending a malicious job submission request. Successful exploitation results in arbitrary code execution on the affected Ray cluster.
Package: rho
Red Hat
ray: Ray Dashboard Command Injection
vendor_redhat·2025-08-07·CVSS 9.8
CVE-2023-6019 [CRITICAL] CWE-78 ray: Ray Dashboard Command Injection
ray: Ray Dashboard Command Injection
A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
A flaw was found in ray. The `cpu_profile` URL parameter allows for command injection, enabling a remote, unauthenticated attacker to execute arbitrary operating system commands on the system hosting the Ray dashboard. This exploitation occurs directly through a crafted URL. Successful command execution can lead to significant system compromise.
Statement: No Red Hat products
Suricata
ET WEB_SPECIFIC_APPS Ray Framework (ShadowRay) Unauthenticated Jobs API Command Execution (CVE-2023-48022)
suricata·2025-05-09·CVSS 9.8
CVE-2023-48022 [CRITICAL] ET WEB_SPECIFIC_APPS Ray Framework (ShadowRay) Unauthenticated Jobs API Command Execution (CVE-2023-48022)
ET WEB_SPECIFIC_APPS Ray Framework (ShadowRay) Unauthenticated Jobs API Command Execution (CVE-2023-48022)
Rule: alert http any any -> $HOME_NET 8265 (msg:"ET WEB_SPECIFIC_APPS Ray Framework (ShadowRay) Unauthenticated Jobs API Command Execution (CVE-2023-48022)"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/json"; http.uri; content:"/api"; content:"/jobs/"; distance:0; http.request_body; content:"|22|entrypoint|22 3a|"; fast_pattern; reference:url,www.vicarius.io/vsociety/posts/shadowray-cve-2023-48022-exploit; reference:cve,2023-48022; reference:url,www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild; classtype:web-application-attack; sid:2062224; rev:1; metadata:attack_target Server, tls_state TLSDecry
Metasploit
Ray Agent Job RCE
metasploit
Ray Agent Job RCE
Ray Agent Job RCE
RCE in Ray via the agent job submission endpoint. This is intended functionality as Ray's main purpose is executing arbitrary workloads. By default Ray has no authentication.
Nuclei
Anyscale Ray - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-48022 [CRITICAL] Anyscale Ray - Remote Code Execution
Anyscale Ray - Remote Code Execution
Anyscale Ray 2.6.3 and 2.8.0 contain a remote code execution vulnerability due to insecure job submission API, allowing attackers to execute arbitrary code remotely if they have network access to the Ray Dashboard API.
Template:
id: CVE-2023-48022
info:
name: Anyscale Ray - Remote Code Execution
author: riteshs4hu
severity: critical
description: |
Anyscale Ray 2.6.3 and 2.8.0 contain a remote code execution vulnerability due to insecure job submission API, allowing attackers to execute arbitrary code remotely if they have network access to the Ray Dashboard API.
impact: |
Unauthenticated attackers with network access to the Ray Dashboard API can execute arbitrary code remotely as root, leading to complete system compromise.
remediation: |
Upgrade An
Sans Isc
What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th)
blogs_sans_isc·2026-06-25
CVE-2016-20017 What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th)
What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary]
Published: 2026-06-24. Last Updated: 2026-06-25 00:39:08 UTC
by Nicole Phillips, SANS.edu BACS Student (Version: 1)
0 comment(s)
[This is a Guest Diary by Nicole Phillips, an ISC intern as part of the SANS.edu BACS program]
"I was just sitting here enjoying the company. Plants got a lot to say, if you take the time to listen."
— Eeyore, Winnie the Pooh
Introduction: Listening to the Static
Setting up and contributing to the DShield honeypot project [1] as an ISC intern is a meaningful part of the BACS program at SANS [2]. Over the last several months I've been thrilled to observe real-time SSH/Telnet activity, check every new file hash and TTY log and hunt for unique http requests. That sa
Wiz
Supply Chain Attacks & AI Vulnerabilities: December Cloud Security Update | Wiz
blogs_wiz·2025-12-01·CVSS 10.0
[CRITICAL] Supply Chain Attacks & AI Vulnerabilities: December Cloud Security Update | Wiz
Welcome back! This edition delivers the latest cloud security highlights: key breaches, unique data findings, and must-watch vulnerabilities. Let’s jump in.
🔍 Highlights
Shai-Hulud 2.0: Ongoing Supply Chain Campaign Referencing Shai-Hulud
A new npm supply-chain campaign referencing Shai-Hulud temporarily compromised packages from Zapier, ENS Domains, PostHog, Postman, and others. This wave leveraged temporarily compromised npm maintainer accounts to publish trojanized versions of legitimate packages from major ecosystems. Wiz observed over 25,000 repositories containing secrets across ~350 unique users.
The malicious packages execute code during the preinstall phase, enabling theft of developer and CI/CD secrets and automated propagation to new repositories. Exfiltration is conducted c
Bleepingcomputer
New ShadowRay attacks convert Ray clusters into crypto miners
blogs_bleepingcomputer·2025-11-18·CVSS 9.8
[CRITICAL] New ShadowRay attacks convert Ray clusters into crypto miners
## New ShadowRay attacks convert Ray clusters into crypto miners
## Bill Toulas
They say that the malicious activity goes beyond cryptocurrency mining, and in some cases, it includes data and credentials theft, as well as deploying distributed denial-of-service (DDoS) attacks.
## New campaign, same (unfixed) flaw
ShadowRay 2.0 is the continuation of another ShadowRay campaign , also exposed by Oligo, which ran between September 2023 and March 2024.
Oligo researchers found that an old critical vulnerability tracked as CVE-2023-48022 was exploited in both campaigns. The security issue did not receive a fix as Ray was designed to run in a trusted environment described as a "strictly-controlled network environment."
However, the researchers say that there are more than 230,000 Ray server
Checkpoint
1st April – Threat Intelligence Report
blogs_checkpoint·2024-04-01
CVE-2023-48022 1st April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 1st April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 1st April, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The US and UK governments have announced a criminal indictment and sanctions against APT31, a group of Chinese hackers, for their role in allegedly conducting attacks against companies in the US, as well as government officials in the UK. Check Point has shared its insights on the event and referenced a past report about APT31,
Bleepingcomputer
Hackers exploit Ray framework flaw to breach servers, hijack resources
blogs_bleepingcomputer·2024-03-26·CVSS 9.8
CVE-2023-6019 [CRITICAL] Hackers exploit Ray framework flaw to breach servers, hijack resources
## Hackers exploit Ray framework flaw to breach servers, hijack resources
## Bill Toulas
The framework boasts over 30,500 stars on GitHub , and it is used by many organizations worldwide, including Amazon, Spotify, LinkedIn, Instacart, Netflix, Uber, and OpenAI, that use it for training ChatGPT.
## Active exploitation underway
In November 2023, Anyscale disclosed five Ray vulnerabilities, fixing four tracked as CVE-2023-6019 , CVE-2023-6020 , CVE-2023-6021 , and CVE-2023-48023 .
However, the fifth bug, a critical remote code execution flaw tracked as CVE-2023-48022 , was not fixed because, according to them, its lack of authentication was a long-standing design decision.
"The remaining CVE (CVE-2023-48022) - that Ray does not have authentication built in - is a long-standing design d
Threat Intel
IronErn440
threat_intel·CVSS 9.8
CVE-2023-48022 [CRITICAL] IronErn440
# Threat Actor: IronErn440
## Description
IronErn440 is a threat actor tracked by Oligo Security for orchestrating the ShadowRay 2.0 campaign, an evolution of attacks since September 2023 exploiting CVE-2023-48022, a missing authentication flaw in the Ray AI framework's Job Submission API. The actor submits malicious jobs to exposed Ray clusters (port 8265), deploying multi-stage Bash/Python payloads via GitHub/GitLab repositories like "ironern440-group" and "thisisforwork440-ops" to propagate worm-like, hijack NVIDIA GPUs for XMRig cryptomining, pivot laterally, create reverse shells, kill competing miners, limit CPU to 60%, and persist via cron jobs pulling updates every 15 minutes. Additional capabilities include DDoS via sockstress on port 3333 (targeting mining pools), region-specifi
Greynoiseio
NoiseLetter October 2024
blogs_greynoiseio
NoiseLetter October 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
ATT&CK
ShadowRay
mitre_attack·CVSS 9.8
CVE-2023-48022 [CRITICAL] ShadowRay
ShadowRay
[ShadowRay](https://attack.mitre.org/campaigns/C0045) was a campaign that began in late 2023 targeting the education, cryptocurrency, biopharma, and other sectors through a vulnerability (CVE-2023-48022) in the Ray AI framework named ShadowRay. According to security researchers [ShadowRay](https://attack.mitre.org/campaigns/C0045) was the first known instance of AI workloads being activley exploited in the wild through vulnerabilities in AI infrastructure. CVE-2023-48022, which allows access to compute resources and sensitive data for exposed instances, remains unpatched and has been disputed by the vendor as they maintain that Ray is not intended for use outside of a strictly controlled network environment.(Citation: Oligo ShadowRay Campaign MAR 2024)
Aliases: ShadowRay
https://atlas.mitre.org/studies/AML.CS0023https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0https://docs.ray.io/en/latest/ray-security/index.htmlhttps://docs.ray.io/en/latest/ray-security/token-auth.htmlhttps://www.vicarius.io/vsociety/posts/shadowray-cve-2023-48022-exploithttps://bishopfox.com/blog/ray-versions-2-6-3-2-8-0https://docs.ray.io/en/latest/ray-security/index.htmlhttps://www.vicarius.io/vsociety/posts/shadowray-cve-2023-48022-exploithttps://www.vicarius.io/vsociety/posts/the-story-of-shadowray-cve-2023-48022
2023-11-28
Published
Exploited in the wild