The Power of Dark Services with OpenZiti
The recent OpenClaw vulnerabilities sent ripples through the cybersecurity community. Research from the SecurityScorecard STRIKE Threat Intelligence Team revealed that over 20,000 control panels were exposed to the public internet. These panels represent a massive attack surface for credential stuffing, exploit kits, and remote code execution.
However, this headline was a non-event for NetFoundry customers who yawned while the rest of the world scrambled to apply patches. It was also a breeze for OpenZiti user’s – NetFoundry’s open source software
How can NetFoundry customers and OpenZiti users be insulated from any OpenClaw CVE – as well as from CVEs from other AI agents?
1. No Listening Ports, No Exposure
Exploiting the “OpenClaw” vulnerability starts with discovery – same as many cyber-attacks. Attackers used scanning tools like Shodan and Censys to find IP addresses with open ports (typically 80, 443, or 8080) associated with known control panel software. Unfortunately for the attackers, NetFoundry customers do not have any exposed ports.
In the NetFoundry model, a machine, VM or container running OpenClaw opens an outbound-only connection to a private, dedicated overlay. That overlay is self-hosted or hosted by NetFoundry. Either way, there are no open inbound ports for attackers to scan or for attackers to use to enter to exploit a vulnerability
2. Identity-First™ Networking
The exposed panels in the OpenClaw report relied on the traditional “first connect the user, then try to authenticate and authorize the user” model. That model means that anyone with the URL could reach the OpenClaw login page and exploit any vulnerabilities.
NetFoundry flips this model to “identify, authenticate, authorize…then connect IF you are authorized.” That model means nobody with the URL, other than identified, authenticated, authorized users, can reach OpenClaw.
3. Public Pipes, Private Overlays
Many of the panels flagged in the OpenClaw report were exposed because they were hosted on public clouds or home networks where “private” networking is complex or expensive to implement.
NetFoundry creates an instant, dedicated, virtual overlay network that sits on top of the public internet. It treats the internet as “dumb pipes.” By encrypting traffic from end-to-end and managing routing within the overlay, NetFoundry allows administrators to put their OpenClaw control panels on the “private” overlay. This means the panels are reachable by authorized administrators anywhere in the world, but unreachable from the Internet
4. Mitigation of Zero-Day Vulnerabilities
Even if an OpenClaw control panel has a critical, unpatched vulnerability (a “Zero-Day”), an attacker cannot exploit it. The vulnerability should be patched but the OpenClaw user is not racing against the entire Internet to patch it.
NetFoundry’s default, identity-based microsegmentation ensures that even if an attacker manages to compromise one part of a network, they cannot “lateral move” to find these control panels unless they have been explicitly granted permission to that specific service.
Summary: Closing the Door
OpenZiti doesn’t just lock the door; it removes the door from the public street entirely. OpenClaw is a reminder that software will always have vulnerabilities. By embracing NetFoundry’s zero-trust, open-source based (OpenZiti) model, organizations can ensure that their most sensitive management interfaces remain invisible, unreachable, and secure—no matter what the next vulnerability might be.
Increasingly, AI means we don’t control the software. This makes it critical that we control the network. That’s very difficult with networks which are default open and use the connect before authenticate model. NetFoundry’s default-closed, Identity-First™ model flips the field – security becomes simpler than insecure because it is built-in instead of bolted-on. We get structural security and speed – and are not racing the Internet to patch issues like this OpenClaw vulnerability.
