In the rush to adopt hot new tech, security is often forgotten. AI is no exception
(2025/09/02)
- Reference: 1756790107
- News link: https://www.theregister.co.uk/2025/09/02/exposed_ollama_servers_insecure_research/
- Source link:
Cisco’s Talos security research team has found over 1,100 Ollama servers exposed to the public internet, where miscreants can use them to do nasty things.
Ollama provides a framework that makes it possible to run large language models locally, on a desktop machine or server. Cisco decided to research it because, in the words of Senior Incident Response Architect Dr. Giannis Tziakouris, Ollama has “gained popularity for its ease of use and local deployment capabilities.”
Talos researchers used the Shodan scanning tool to find unsecured Ollama servers, and spotted over 1,100, around 20 percent of which are “actively hosting models susceptible to unauthorized access.” Cisco’s scan found over 1,000 exposed servers within 10 minutes of commencing its sweep of the internet.
[1]
Leaving an Ollama server dangling on the open internet means anyone who learns of its existence could query the LLM and use its API, perhaps consuming all its resources or running up a big bill for hosted systems. Targeted attacks are possible because Cisco found many of the servers expose information that makes it possible to identify hosts.
[2]
[3]
Cisco’s infosec investigators also worry about the following consequences:
Model Extraction Attacks — Attackers can reconstruct model parameters by querying an exposed ML server repeatedly.
Jailbreaking and Content Abuse — LLMs like GPT-4, LLaMA, and Mistral can be manipulated to generate restricted content, including misinformation, malware code, or harmful outputs.
Backdoor Injection and Model Poisoning — Adversaries could exploit unsecured model endpoints to introduce malicious payloads or load untrusted models remotely.
Cisco classified 80 percent of the open Ollama servers it spotted as “dormant” because they were not running any models, meaning the above attacks would be futile. The bad news is that those servers “remain susceptible to exploitation via unauthorized model uploads or configuration manipulation.”
But Dr. Tziakouris warned “their exposed interfaces could still be leveraged in attacks involving resource exhaustion, denial of service, or lateral movement.”
The USA is home to most of the exposed servers (36.6 percent), followed by China (22.5 percent) and Germany (8.9 percent).
[4]LegalPwn: Tricking LLMs by burying badness in lawyerly fine print
[5]xAI's Grok has no place in US federal government, say advocacy groups
[6]Not in my browser! Vivaldi capo doubles down on generative AI ban
[7]Uncle Sam speedruns AI chatbot adoption for federal workers
Tziakouris concluded the findings of the Cisco study “highlight a widespread neglect of fundamental security practices such as access control, authentication, and network isolation in the deployment of AI systems.” As is often the case when organizations rush to adopt the new hotness, frequently without informing IT departments because they don’t want to be told to slow down and do security right.
He thinks things may get worse.
[8]
“The uniform adoption of OpenAI-compatible APIs further exacerbates the issue, enabling attackers to scale exploit attempts across platforms with minimal adaptation,” he wrote, before calling for development of “standardized security baselines, automated auditing tools, and improved deployment guidance for LLM infrastructure.”
He also acknowledged that Cisco’s Shodan scan cannot deliver a definitive view on LLM security, and called for work on tools that include adaptive fingerprinting and active probing techniques, and target other model-hosting frameworks including Hugging Face, Triton, and vLLM, to help researchers better understand the situation. ®
Get our [9]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLbAOku3TLTJ2bCdtmEx2wAAAFg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLbAOku3TLTJ2bCdtmEx2wAAAFg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLbAOku3TLTJ2bCdtmEx2wAAAFg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2025/09/01/legalpwn_ai_jailbreak/
[5] https://www.theregister.com/2025/08/29/xais_grok_has_no_place/
[6] https://www.theregister.com/2025/08/28/vivaldi_capo_doubles_down_on/
[7] https://www.theregister.com/2025/08/26/gsa_ai_chatbot_speedrun/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLbAOku3TLTJ2bCdtmEx2wAAAFg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://whitepapers.theregister.com/
Ollama provides a framework that makes it possible to run large language models locally, on a desktop machine or server. Cisco decided to research it because, in the words of Senior Incident Response Architect Dr. Giannis Tziakouris, Ollama has “gained popularity for its ease of use and local deployment capabilities.”
Talos researchers used the Shodan scanning tool to find unsecured Ollama servers, and spotted over 1,100, around 20 percent of which are “actively hosting models susceptible to unauthorized access.” Cisco’s scan found over 1,000 exposed servers within 10 minutes of commencing its sweep of the internet.
[1]
Leaving an Ollama server dangling on the open internet means anyone who learns of its existence could query the LLM and use its API, perhaps consuming all its resources or running up a big bill for hosted systems. Targeted attacks are possible because Cisco found many of the servers expose information that makes it possible to identify hosts.
[2]
[3]
Cisco’s infosec investigators also worry about the following consequences:
Model Extraction Attacks — Attackers can reconstruct model parameters by querying an exposed ML server repeatedly.
Jailbreaking and Content Abuse — LLMs like GPT-4, LLaMA, and Mistral can be manipulated to generate restricted content, including misinformation, malware code, or harmful outputs.
Backdoor Injection and Model Poisoning — Adversaries could exploit unsecured model endpoints to introduce malicious payloads or load untrusted models remotely.
Cisco classified 80 percent of the open Ollama servers it spotted as “dormant” because they were not running any models, meaning the above attacks would be futile. The bad news is that those servers “remain susceptible to exploitation via unauthorized model uploads or configuration manipulation.”
But Dr. Tziakouris warned “their exposed interfaces could still be leveraged in attacks involving resource exhaustion, denial of service, or lateral movement.”
The USA is home to most of the exposed servers (36.6 percent), followed by China (22.5 percent) and Germany (8.9 percent).
[4]LegalPwn: Tricking LLMs by burying badness in lawyerly fine print
[5]xAI's Grok has no place in US federal government, say advocacy groups
[6]Not in my browser! Vivaldi capo doubles down on generative AI ban
[7]Uncle Sam speedruns AI chatbot adoption for federal workers
Tziakouris concluded the findings of the Cisco study “highlight a widespread neglect of fundamental security practices such as access control, authentication, and network isolation in the deployment of AI systems.” As is often the case when organizations rush to adopt the new hotness, frequently without informing IT departments because they don’t want to be told to slow down and do security right.
He thinks things may get worse.
[8]
“The uniform adoption of OpenAI-compatible APIs further exacerbates the issue, enabling attackers to scale exploit attempts across platforms with minimal adaptation,” he wrote, before calling for development of “standardized security baselines, automated auditing tools, and improved deployment guidance for LLM infrastructure.”
He also acknowledged that Cisco’s Shodan scan cannot deliver a definitive view on LLM security, and called for work on tools that include adaptive fingerprinting and active probing techniques, and target other model-hosting frameworks including Hugging Face, Triton, and vLLM, to help researchers better understand the situation. ®
Get our [9]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLbAOku3TLTJ2bCdtmEx2wAAAFg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLbAOku3TLTJ2bCdtmEx2wAAAFg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLbAOku3TLTJ2bCdtmEx2wAAAFg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2025/09/01/legalpwn_ai_jailbreak/
[5] https://www.theregister.com/2025/08/29/xais_grok_has_no_place/
[6] https://www.theregister.com/2025/08/28/vivaldi_capo_doubles_down_on/
[7] https://www.theregister.com/2025/08/26/gsa_ai_chatbot_speedrun/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLbAOku3TLTJ2bCdtmEx2wAAAFg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://whitepapers.theregister.com/
Re: News?
Anonymous Coward
I would suggest that management is responsible for AI adoption, but administrators are responsible for the train wreck that is implementation.
"security is often forgotten"
Pascal Monett
No. Security is ALWAYS forgotten. Because it gets in the way of selling product.
Until, oh shit, we've got to secure this thing because, otherwise, customers will complain. And if they complain, they might leave, so now security is important.
So, developers who warned us before, implement security on top of all the bullshit we made you do, because otherwise, you're fired.
News?
I mean, sure, we have to repeat this and actually get management by the balls because they are the drivers behind this train wreck. Looking at who pushes AI to everything and everywhere, and who is frothing from the mouth to exactly do that, and who tells all of us to "just use AI": I personally think these AI companies are responsible for the mess we are in.
The whole mess is not unexpected. We have seen an uptick in SQL injections and other stupid and entirely preventable security holes, because of not training people, people trusting AI, people letting AI spin up containers and companies just pushing stuff with a wanton disregard of basic security. Throw manglement in jail and fine them. Like, real fines. 50% of their net worth, the other 50% go towards the people whose data they dumped on the internet for the world to abuse.