CP
cyberpings
Malware & RansomwareHIGH

OpenWebUI Servers - Extensive Cryptomining Campaign Uncovered

SCSC Media
OpenWebUICVE-2025-63391cryptominingmalwareinfostealer
🎯

Basically, hackers are using OpenWebUI servers to secretly mine cryptocurrency and steal data.

Quick Summary

OpenWebUI servers are being exploited for cryptomining and data theft. Nearly 12,000 servers are at risk due to a critical vulnerability. Organizations must act quickly to secure their systems.

What Happened

In a concerning development, OpenWebUI servers have been targeted by cybercriminals for extensive cryptocurrency mining activities. This attack campaign has been active since late 2024, exploiting a vulnerability known as CVE-2025-63391. Researchers from Cybernews have reported that misconfigured instances of these widely used open-source AI servers were compromised with malware designed for both cryptomining and stealing credentials.

The attackers utilized illicit Python scripts to inject cryptominers and infostealing payloads into the vulnerable servers. Initially, the infostealer was delivered through a malicious Java archive file, but attackers evolved their tactics, integrating data theft capabilities directly into the Python scripts. This evolution indicates a sophisticated approach to maximizing their gains from the compromised servers.

Who's Affected

The impact of this attack is significant, as nearly all of the 12,000 online OpenWebUI servers are susceptible to the identified vulnerability. The majority of these affected servers are located in the U.S., China, and Germany. Alarmingly, almost 50% of these servers lack proper authentication, making them easy targets for attackers.

As a result, organizations utilizing OpenWebUI should be particularly vigilant. The widespread nature of this attack means that many users may not even be aware that their servers are compromised, potentially leading to severe consequences for data security and operational integrity.

What Data Was Exposed

While the primary focus of the attackers appears to be on cryptomining, the integration of infostealer capabilities raises concerns about the types of data that may have been exposed. With the malware in place, sensitive information could be at risk, including user credentials and other personal data.

The lack of authentication on many servers exacerbates the issue, as unauthorized access becomes easier for threat actors. This situation highlights the critical need for organizations to secure their systems against such vulnerabilities to prevent unauthorized data access and theft.

What You Should Do

To mitigate the risks associated with this attack, immediate action is required. Organizations should take the following steps:

  • Activate authentication features on OpenWebUI servers to restrict unauthorized access.
  • Implement admin approvals for new signups to ensure only legitimate users can access the system.
  • Establish IP whitelisting to limit access to trusted sources only.
  • Monitor for unauthorized uploads and unpermitted models to detect any suspicious activity.

By following these recommendations, organizations can significantly enhance their security posture and protect their OpenWebUI instances from future attacks. Awareness and proactive measures are essential in combating the evolving threat landscape in the cybersecurity realm.

🔒 Pro insight: The exploitation of CVE-2025-63391 underscores the urgent need for robust security configurations in open-source deployments.

Original article from

SC Media

Read Full Article

Share

Related Pings

CRITICALMalware & Ransomware

Interlock Ransomware - Exploiting Cisco FMC Zero-Day Flaw

Interlock ransomware is actively exploiting a critical Cisco FMC vulnerability before its public disclosure. Organizations using this software are at high risk. Immediate patching is essential to protect against these attacks.

SC Media·
HIGHMalware & Ransomware

Malware - New .NET AOT Malware Evades Detection with Scoring

A new malware campaign using .NET AOT techniques has been discovered. It targets users through phishing emails and evades detection by evaluating system criteria. This poses serious risks to personal and organizational security. Stay informed and protect your systems.

SC Media·
HIGHMalware & Ransomware

Malware - Android Devices Ship with Keenadu Firmware Threat

Keenadu malware is found in Android firmware, allowing attackers to control devices for ad fraud. Affected models include low-cost Android phones. Users should update firmware and monitor for unusual activity.

Sophos News·
HIGHMalware & Ransomware

Malware - Android Devices Ship with Firmware-Level Threat

A new firmware-level malware called Keenadu is affecting Android devices. Over 500 devices across 40 countries are compromised, enabling ad fraud. Users should update their firmware to mitigate risks.

Sophos News·
HIGHMalware & Ransomware

Speagle Malware - Hijacks Cobra DocGuard to Steal Data

Cybersecurity experts have flagged Speagle malware, which hijacks Cobra DocGuard to steal sensitive data. Organizations using this software are at risk, highlighting the need for enhanced security measures.

The Hacker News·
HIGHMalware & Ransomware

Malware - DarkSword Tool Exposes Millions of iPhones

A new hacking tool, DarkSword, is being used by Russian hackers to exploit vulnerabilities in older iPhones. Millions of users are at risk of data theft just by visiting compromised websites. Keeping software updated is crucial for protection against this sophisticated malware.

Ars Technica Security·