CVE-2023-48022: Ray unauthenticated RCE

Q: Is CVE-2023-48022 actively exploited?

Yes, CVE-2023-48022 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

Q: How to fix CVE-2023-48022?

1. Immediately identify all Ray deployments: scan for port 8265 (dashboard/job API) and 10001 (GCS) exposed outside network controls. 2. Block these ports at firewall/security group level with no exceptions — this is the only effective mitigation. 3. If external access is operationally required, deploy an authenticating reverse proxy (nginx with OAuth2 proxy or mTLS) in front of the Ray dashboard. 4. Use Anyscale's official verification tooling (anyscale.com blog post) to confirm exposure status. 5. Audit Ray cluster IAM roles and service accounts — assume any previously exposed cluster is compromised, rotate all credentials. 6. Enable audit logging on job submissions to detect retroactive unauthorized access. 7. Implement network segmentation for all ML infrastructure; Ray clusters should never share network segments with production systems or internet-facing services. 8. No upstream patch exists or is planned; all risk management is operational.

Q: What systems are affected by CVE-2023-48022?

This vulnerability affects the following AI/ML architecture patterns: distributed training pipelines, model serving infrastructure, hyperparameter tuning clusters, ML platform infrastructure, data processing pipelines, reinforcement learning environments.

Q: What is the CVSS score for CVE-2023-48022?

CVE-2023-48022 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 81.51%.

CISO Take

Any Ray cluster reachable outside a strictly controlled network is fully compromised — no credentials required. EPSS of 91.8% means active exploitation is near-certain. There is no patch; the vendor considers this a deployment problem, not a bug. Block port 8265 immediately, audit all Ray deployments, and treat any exposed cluster as already compromised.

What is the risk?

Critical. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N means zero-friction exploitation from the internet. EPSS 0.917 places this in the top tier of actively exploited vulnerabilities. The vendor's 'working as designed' position eliminates any patch timeline — the full risk burden falls on operators indefinitely. ML teams routinely expose Ray dashboards for operational convenience, and cloud-hosted Ray clusters with permissive security groups are a common real-world misconfiguration. No compensating controls exist at the application layer.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Ray	pip	<= 2.49.2	No patch
42.9K OpenSSF 5.7 873 dependents Pushed 3d ago 83% patched ~139d to patch Full package profile →

Do you use Ray? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

81.5%

chance of exploitation in 30 days

Higher than 100% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Actively Exploited

Sophistication

Trivial

Exploitation Confidence

high

✓ CISA KEV (active exploitation confirmed)

○ CISA SSVC: Public PoC

✓ Weaponized Metasploit module (exploit/linux/http/ray_agent_job_rce)

○ Nuclei detection template available

○ EPSS exploit prediction: 82%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

8 steps

Immediately identify all Ray deployments: scan for port 8265 (dashboard/job API) and 10001 (GCS) exposed outside network controls.
Block these ports at firewall/security group level with no exceptions — this is the only effective mitigation.
If external access is operationally required, deploy an authenticating reverse proxy (nginx with OAuth2 proxy or mTLS) in front of the Ray dashboard.
Use Anyscale's official verification tooling (anyscale.com blog post) to confirm exposure status.
Audit Ray cluster IAM roles and service accounts — assume any previously exposed cluster is compromised, rotate all credentials.
Enable audit logging on job submissions to detect retroactive unauthorized access.
Implement network segmentation for all ML infrastructure; Ray clusters should never share network segments with production systems or internet-facing services.
No upstream patch exists or is planned; all risk management is operational.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Framework Training Data Inference AML.T0006 - Active Scanning AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

Annex A.6.2 - AI System Impact Assessment Clause 6.1 - Actions to Address Risks and Opportunities

NIST AI RMF

MANAGE 2.2 - Risk Treatment and Response Plans MAP 5.1 - Likelihood and Magnitude of Impacts

Frequently Asked Questions

What is CVE-2023-48022?

Any Ray cluster reachable outside a strictly controlled network is fully compromised — no credentials required. EPSS of 91.8% means active exploitation is near-certain. There is no patch; the vendor considers this a deployment problem, not a bug. Block port 8265 immediately, audit all Ray deployments, and treat any exposed cluster as already compromised.

Is CVE-2023-48022 actively exploited?

Yes, CVE-2023-48022 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2023-48022?

1. Immediately identify all Ray deployments: scan for port 8265 (dashboard/job API) and 10001 (GCS) exposed outside network controls. 2. Block these ports at firewall/security group level with no exceptions — this is the only effective mitigation. 3. If external access is operationally required, deploy an authenticating reverse proxy (nginx with OAuth2 proxy or mTLS) in front of the Ray dashboard. 4. Use Anyscale's official verification tooling (anyscale.com blog post) to confirm exposure status. 5. Audit Ray cluster IAM roles and service accounts — assume any previously exposed cluster is compromised, rotate all credentials. 6. Enable audit logging on job submissions to detect retroactive unauthorized access. 7. Implement network segmentation for all ML infrastructure; Ray clusters should never share network segments with production systems or internet-facing services. 8. No upstream patch exists or is planned; all risk management is operational.

What systems are affected by CVE-2023-48022?

This vulnerability affects the following AI/ML architecture patterns: distributed training pipelines, model serving infrastructure, hyperparameter tuning clusters, ML platform infrastructure, data processing pipelines, reinforcement learning environments.

What is the CVSS score for CVE-2023-48022?

CVE-2023-48022 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 81.51%.

What is the AI security impact?

Affected AI Architectures

distributed training pipelinesmodel serving infrastructurehyperparameter tuning clustersML platform infrastructuredata processing pipelinesreinforcement learning environments

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: Annex A.6.2, Clause 6.1

NIST AI RMF: MANAGE 2.2, MAP 5.1

What are the technical details?

Original Advisory

Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment.

Exploitation Scenario

Attacker performs internet-wide scan for port 8265 (readily available via Shodan/Censys). On finding an exposed Ray dashboard, they POST a crafted job to /api/jobs/ with a malicious Python entrypoint — a reverse shell, credential harvester, or model exfiltration script. Ray executes the job across all cluster workers with no authentication check, granting immediate RCE. In a typical ML training environment, the attacker harvests AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from worker environment variables within seconds, then pivots to S3 buckets containing proprietary training data and model artifacts. Alternatively, they inject a data poisoning payload into the active training job by modifying input data mid-run, compromising model integrity without triggering obvious alerts. The MITRE ATLAS case study AML.CS0023 documents this exact attack pattern in the wild.

Weaknesses (CWE)

CWE-829 Inclusion of Functionality from Untrusted Control Sphere Primary CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-829 — Inclusion of Functionality from Untrusted Control Sphere: The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
[Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.

Source: MITRE CWE corpus.