OpenWebUI Servers - Extensive Cryptomining Campaign Uncovered
Basically, hackers are using OpenWebUI servers to secretly mine cryptocurrency and steal data.
OpenWebUI servers are being exploited for cryptomining and data theft. Nearly 12,000 servers are at risk due to a critical vulnerability. Organizations must act quickly to secure their systems.
What Happened
In a concerning development, OpenWebUI servers have been targeted by cybercriminals for extensive cryptocurrency mining activities. This attack campaign has been active since late 2024, exploiting a vulnerability known as CVE-2025-63391. Researchers from Cybernews have reported that misconfigured instances of these widely used open-source AI servers were compromised with malware designed for both cryptomining and stealing credentials.
The attackers utilized illicit Python scripts to inject cryptominers and infostealing payloads into the vulnerable servers. Initially, the infostealer was delivered through a malicious Java archive file, but attackers evolved their tactics, integrating data theft capabilities directly into the Python scripts. This evolution indicates a sophisticated approach to maximizing their gains from the compromised servers.
Who's Affected
The impact of this attack is significant, as nearly all of the 12,000 online OpenWebUI servers are susceptible to the identified vulnerability. The majority of these affected servers are located in the U.S., China, and Germany. Alarmingly, almost 50% of these servers lack proper authentication, making them easy targets for attackers.
As a result, organizations utilizing OpenWebUI should be particularly vigilant. The widespread nature of this attack means that many users may not even be aware that their servers are compromised, potentially leading to severe consequences for data security and operational integrity.
What Data Was Exposed
While the primary focus of the attackers appears to be on cryptomining, the integration of infostealer capabilities raises concerns about the types of data that may have been exposed. With the malware in place, sensitive information could be at risk, including user credentials and other personal data.
The lack of authentication on many servers exacerbates the issue, as unauthorized access becomes easier for threat actors. This situation highlights the critical need for organizations to secure their systems against such vulnerabilities to prevent unauthorized data access and theft.
What You Should Do
To mitigate the risks associated with this attack, immediate action is required. Organizations should take the following steps:
- Activate authentication features on OpenWebUI servers to restrict unauthorized access.
- Implement admin approvals for new signups to ensure only legitimate users can access the system.
- Establish IP whitelisting to limit access to trusted sources only.
- Monitor for unauthorized uploads and unpermitted models to detect any suspicious activity.
By following these recommendations, organizations can significantly enhance their security posture and protect their OpenWebUI instances from future attacks. Awareness and proactive measures are essential in combating the evolving threat landscape in the cybersecurity realm.