Exposed Ollama Servers: A Wake-Up Call for AI Security

AI can't stop the sprint to adopt hot tech without security

Cisco finds hundreds of Ollama servers open to unauthorized access, creating various nasty risks Cisco's Talos security research team has found over 1,100 Ollama servers exposed to the public internet, where miscreants can use them to do nasty things. Ollama provides a framework that makes it possible to run large language models locally, on a desktop machine or server. Cisco decided to research it because, in the words of Senior Incident Response Architect Dr. Giannis Tziakouris, Ollama has "gained popularity for its ease of use and local deployment capabilities." Talos researchers used the Shodan scanning tool to find unsecured Ollama servers, and spotted over 1,100, around 20 percent of which are "actively hosting models susceptible to unauthorized access." Cisco's scan found over 1,000 exposed servers within 10 minutes of commencing its sweep of the internet. Leaving an Ollama server dangling on the open internet means anyone who learns of its existence could query the LLM and use its API, perhaps consuming all its resources or running up a big bill for hosted systems. Targeted attacks are possible because Cisco found many of the servers expose information that makes it possible to identify hosts. Cisco's infosec investigators also worry about the following consequences: Cisco classified 80 percent of the open Ollama servers it spotted as "dormant" because they were not running any models, meaning the above attacks would be futile. The bad news is that those servers "remain susceptible to exploitation via unauthorized model uploads or configuration manipulation." But Dr. Tziakouris warned "their exposed interfaces could still be leveraged in attacks involving resource exhaustion, denial of service, or lateral movement." The USA is home to most of the exposed servers (36.6 percent), followed by China (22.5 percent) and Germany (8.9 percent). Tziakouris concluded the findings of the Cisco study "highlight a widespread neglect of fundamental security practices such as access control, authentication, and network isolation in the deployment of AI systems." As is often the case when organizations rush to adopt the new hotness, frequently without informing IT departments because they don't want to be told to slow down and do security right. He thinks things may get worse. "The uniform adoption of OpenAI-compatible APIs further exacerbates the issue, enabling attackers to scale exploit attempts across platforms with minimal adaptation," he wrote, before calling for development of "standardized security baselines, automated auditing tools, and improved deployment guidance for LLM infrastructure." He also acknowledged that Cisco's Shodan scan cannot deliver a definitive view on LLM security, and called for work on tools that include adaptive fingerprinting and active probing techniques, and target other model-hosting frameworks including Hugging Face, Triton, and vLLM, to help researchers better understand the situation. ®

Hundreds of LLM servers left exposed online - here's what we know

Businesses are neglecting fundamental security practices, Cisco warned More than 1,100 Ollama servers were found exposed on the public internet, opening the doors to all sorts of cybercrime, experts have claimed. After a quick Shodan search, security researchers Cisco Talos found the servers, which are either local or remote systems that run large language models without relying on external cloud providers. They allow users to download, manage, and run AI models directly on their own hardware or in private infrastructure. This setup is often used by developers and businesses that want more control, privacy, and lower latency when working with generative AI. When these servers are exposed to the wider internet, they enable model extraction attacks (attackers reconstructing model parameters), jailbreaking and content abuse (forcing LLMs to generate restricted or harmful content), or backdoor injection and model poisoning (deploying malware), among other things. Out of the 1,100 servers that were discovered, the majority (around 80%) were "dormant" - meaning they weren't running any models and thus could not be abused in cybercrime. The remaining 20%, however, are "actively hosting models susceptible to unauthorized access", as Cisco Talos put it. The researchers warned how "their exposed interfaces could still be leveraged in attacks involving resource exhaustion, denial of service, or lateral movement." Most of the exposed servers are found in the United States (36.6%), followed by China (22.5%), and Germany (8.9%). For Cisco Talos, the findings "highlight a widespread neglect of fundamental security practices such as access control, authentication, and network isolation in the deployment of AI systems." In many ways, this is not unlike misconfigured or exposed databases, which malicious actors can easily access, stealing data to use in phishing or social engineering attacks.