CVE-2026-25253/44118/etc & ClawHub/ZombieClaw + 433+ CVEs + Malicious Skills + IMDA Warnings
Key Questions
What warnings has IMDA Singapore issued regarding OpenClaw?
IMDA Singapore issued warnings on 2026-05-26 against using OpenClaw in mission-critical environments due to multiple security flaws. The advisory highlights risks from four chainable vulnerabilities in the Claw Chain (CVEs 44112-44118) and plugin trust bypass issues.
What are the main vulnerabilities affecting OpenClaw?
Four chainable flaws (CVEs 44112-44118) enable remote code execution and persistent compromise, with CVSS scores up to 9.9 confirmed by PurpleOps. An estimated 65,000 to 245,000 servers were publicly exposed, alongside risks from malicious skills in the marketplace.
How does GhostSocks malware spread through OpenClaw?
GhostSocks is distributed via fake OpenClaw installers that have low detection rates and use a novel packer. These installers target users seeking the software and steal information once executed.
What patches are recommended for the OpenClaw vulnerabilities?
Users are urged to upgrade to OpenClaw v5.2 or later to address the Claw Chain flaws and related issues. The updates include fixes for RCE vectors and improved plugin isolation.
What is the Tenure plugin and how does it help with OpenClaw security?
Tenure addresses agent isolation problems by preventing memory sharing between agents. It mitigates risks that other memory plugins have struggled to resolve.
How do malicious plugins bypass trust in OpenClaw?
Attackers publish plugins with hidden malicious functionality in the OpenClaw marketplace. This exploits insufficient validation of plugin behavior and permissions.
What are common security risks for OpenClaw agents?
Key risks include malicious plugins, credential exposure, and unpatched vulnerabilities that allow system-level compromise. Best practices emphasize sandboxing and regular updates.
What research highlights the scale of OpenClaw exposures?
Cyera research and reports on BSidesSF RCE demos show widespread exposure of 65k-245k servers. These findings underscore the urgency of applying security patches and hardening deployments.
IMDA Singapore warnings (2026-05-26) against mission-critical use; Four Claw Chain flaws (CVEs 44112-44118), BSidesSF RCE, 65k-245k exposed servers, plugin trust bypass. PurpleOps confirms 9.9 CVSS risks; urge v5.2+ patches. GhostSocks malware via fake installers. Cyera research, Tenure plugin.