Executive Summary
In November 2025, the 'ShadowRay 2.0' campaign was uncovered actively exploiting an unpatched, two-year-old vulnerability in the Ray open-source AI framework. Threat actors leveraged this flaw to compromise cloud-hosted and on-premises Ray clusters equipped with NVIDIA GPUs, deploying a self-spreading botnet targeting large-scale cryptomining. The attackers automated lateral movement within cloud environments and data centers, rapidly enrolling new nodes into the botnet, and using high-performance GPUs for illicit cryptocurrency mining, resulting in significant resource abuse, potential data exposure, and increased operational costs for targets.
ShadowRay 2.0 highlights the rising trend of adversaries abusing vulnerable AI/ML infrastructure for financially motivated campaigns. The incident underlines the security risks facing organizations using open-source workloads, as attackers increasingly automate botnet propagation, and reinforces the urgency of addressing software supply chain and east-west traffic security gaps.
Why This Matters Now
This incident underscores the growing urgency for organizations to patch vulnerable AI/ML frameworks and defend against automated attacks that abuse internal cloud and GPU resources. As cryptomining botnets evolve with new propagation techniques, unprotected east-west traffic and unpatched open-source dependencies have become prime targets—posing escalating risks to business continuity and cloud cost exposure.
Attack Path Analysis
The attacker exploited an unpatched vulnerability in the Ray AI framework to gain access to exposed GPU-enabled clusters. Upon entry, automated scripts were likely used to escalate privileges and deploy persistent processes. The malware propagated laterally across clusters and regions through east-west communication, leveraging internal connection misconfigurations. Command and control was maintained through outbound traffic, enabling remote botnet coordination. Mining software and environment data may have been exfiltrated to attacker infrastructure. Finally, the infected clusters were conscripted into a large-scale cryptomining operation, degrading cloud resources and incurring financial losses.
Kill Chain Progression
Initial Compromise
Description
Exploitation of an unpatched public-facing Ray vulnerability allowed remote attackers to access GPU-enabled cloud workloads.
Related CVEs
CVE-2023-48022
CVSS 9.8A critical vulnerability in the Ray AI framework allows unauthenticated remote code execution via the Jobs API, enabling attackers to execute arbitrary commands on all nodes within a Ray cluster.
Affected Products:
Anyscale Ray – <= 2.8.0
Exploit Status:
exploited in the wildCVE-2025-62593
CVSS 9.4A critical RCE vulnerability in Ray versions prior to 2.52.0 allows attackers to execute arbitrary code on a developer's machine via DNS rebinding attacks, particularly when using Firefox or Safari browsers.
Affected Products:
Anyscale Ray – < 2.52.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
System Binary Proxy Execution: Side-Loaded Kernel Modules and Device Drivers
Valid Accounts
System Information Discovery
Resource Hijacking
Exploitation of Remote Services
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – Identification and mitigation of ICT risks
Control ID: Article 9(2)(b)
CISA Zero Trust Maturity Model 2.0 – Continuous vulnerability assessment and remediation
Control ID: Asset Management - Vulnerability Management
NIS2 Directive – Incident prevention, detection, and response
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Ray AI framework exploitation targeting GPU clusters creates significant risk for IT infrastructure providers managing cloud-native AI workloads and cryptocurrency mining operations.
Computer Software/Engineering
ShadowRay 2.0 botnet directly impacts software companies using Ray framework for AI development, requiring immediate patching and enhanced east-west traffic security controls.
Health Care / Life Sciences
AI-powered healthcare organizations using Ray framework face compliance violations under HIPAA regulations while GPU resources are compromised for unauthorized cryptocurrency mining activities.
Financial Services
Financial institutions leveraging AI frameworks encounter regulatory compliance risks under PCI standards while facing potential data exfiltration through compromised GPU mining infrastructure.
Sources
- ShadowRay 2.0 Exploits Unpatched Ray Flaw to Build Self-Spreading GPU Cryptomining Botnethttps://thehackernews.com/2025/11/shadowray-20-exploits-unpatched-ray.htmlVerified
- Critical Vulnerability Found in Ray AI Frameworkhttps://www.securityweek.com/critical-vulnerability-found-in-ray-ai-framework/Verified
- ShadowRay vulnerability on Ray framework exposes thousands of AI workloads, compute power and datahttps://venturebeat.com/security/shadowray-vulnerability-on-ray-framework-exposes-thousands-of-ai-workloads-compute-power-and-data/Verified
- Thousands of businesses at mercy of miscreants thanks to unpatched Ray AI flawhttps://www.theregister.com/2024/03/27/ray_ai_framework_bug/Verified
- NVD - CVE-2025-62593https://nvd.nist.gov/vuln/detail/CVE-2025-62593Verified
- Critical Ray AI Flaw Exposes Devs via Safari & Firefox (CVE-2025-62593)https://securityonline.info/critical-ray-ai-flaw-exposes-devs-via-safari-firefox-cve-2025-62593/Verified
- CVE-2025-62593 : Remote Code Execution Vulnerability in Ray AI Compute Enginehttps://securityvulnerability.io/vulnerability/CVE-2025-62593Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, workload microsegmentation, and strict egress controls would have blocked lateral movement and C2 activity, while threat detection and anomaly response would have identified abnormal mining behaviors for timely containment.
Control: Cloud Firewall (ACF)
Mitigation: Blocked unauthorized inbound connections to vulnerable workloads.
Control: Threat Detection & Anomaly Response
Mitigation: Detected anomalous processes or privilege escalation attempts.
Control: Zero Trust Segmentation
Mitigation: Prevented unauthorized inter-workload and inter-region communication.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked malicious outbound traffic attempting to reach attacker infrastructure.
Control: Egress Security & Policy Enforcement
Mitigation: Detected or blocked unapproved data export attempts.
Early detection of resource misuse enabled rapid remediation.
Impact at a Glance
Affected Business Functions
- AI Model Training
- Data Processing
- Research and Development
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive AI models, training data, and intellectual property due to unauthorized access to Ray clusters.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Cloud Firewall policies to ensure only necessary ports and protocols are exposed to the internet.
- • Apply Zero Trust Segmentation between workloads and namespaces to block malware lateral movement.
- • Deploy strict egress policy enforcement to restrict outbound connections to approved destinations.
- • Enable continuous Threat Detection & Anomaly Response to spot deviations from normal workload behavior.
- • Regularly update and patch cloud-native frameworks such as Ray to close known vulnerabilities.
