Attackers exploited CVE-2025-63391, a data-leakage flaw, using illicit Python scripts to deploy miners and infostealing payloads on exposed OpenWebUI instances.

A cybersecurity report details a malicious campaign targeting OpenWebUI AI servers that left numerous instances unprotected and exposed to cryptomining and credential-stealing malware, with covert hijacking dating back to late 2024.

Security recommendations urge enabling authentication, requiring admin approvals for new signups, implementing IP whitelisting, and setting up monitoring to detect unauthorized uploads of tools or unpermitted models.

Note: The article also contains unrelated author bio details and prompts about displaying a public display name, which do not affect the cybersecurity narrative.

The report stresses proactive security measures to protect OpenWebUI deployments and prevent similar compromises in the future.

Contextualize with related threat briefs published the same day, including North Korea’s fake IT worker scheme infrastructure and the DarkSword iOS exploit kit, illustrating a broader threat landscape.

Researchers found 98 OpenWebUI instances with no authentication, with 45 already compromised, 33 showing configuration or compromise indicators, and 11 appearing normal without signs of compromise.

Malware leveraged Discord webhooks to alert the attacker whenever a new server was compromised, signaling active deployment and control.

An estimated 12,000 online OpenWebUI servers were vulnerable, concentrated in the United States, China, and Germany, with nearly half lacking any authentication.

Over 2,000 OpenWebUI servers were open to user registrations, enabling unauthorized account creation and access.

OpenWebUI is an open-source interface for locally hosted LLMs and AI models via a web dashboard, which makes unprotected servers particularly attractive to attackers.

The malware mined cryptocurrency and stole credentials on infected servers and used obfuscation techniques like reversing byte sequences, Base64 decoding, and Zlib decompressing to evade detection.