Full Report
A new joint investigation by SentinelOne SentinelLABS, and Censys has revealed that the open-source artificial intelligence (AI) deployment has created a vast "unmanaged, publicly accessible layer of AI compute infrastructure" that spans 175,000 unique Ollama hosts across 130 countries. These systems, which span both cloud and residential networks across the world, operate outside the
Analysis Summary
# Vulnerability: Widespread Public Exposure of Ollama AI Compute Infrastructure
## CVE Details
- CVE ID: N/A (This finding relates to misconfiguration/exposure rather than a specific software vulnerability released as a CVE.)
- CVSS Score: N/A
- CWE: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-284 (Improper Access Control)
## Affected Systems
- Products: Ollama (Open-source AI deployment framework)
- Versions: All versions configured to bind to `0.0.0.0` or a public interface instead of the default `127.0.0.1`.
- Configurations: Systems where the default configuration (binding to localhost) has been altered to expose the service to the public internet.
## Vulnerability Description
Joint research by SentinelOne SentinelLABS and Censys identified approximately 175,000 publicly accessible Ollama hosts across 130 countries. Ollama defaults to binding only to the localhost address (`127.0.0.1:11434`). The vulnerability lies in the prevalent misconfiguration where users set the service to bind to `0.0.0.0` or a public IP, exposing the AI compute infrastructure outside of secure network perimeters. Crucially, nearly half (over 48%) of these publicly exposed hosts support **tool-calling capabilities**, which allow the LLM to execute code, interact with external APIs, and augment its functions. This exposure combined with insufficient authentication creates a high-risk environment for LLMjacking.
## Exploitation
- Status: Actively exploited in the wild (Targeted for LLMjacking campaigns like Operation Bizarre Bazaar).
- Complexity: Low (Requires simple internet scanning and accessing an unauthenticated public endpoint).
- Attack Vector: Network (External access via the configured public port).
## Impact
- Confidentiality: Medium (Potential exposure of internal data processed by the LLM or sensitive APIs the tool can interact with).
- Integrity: High (Tool-enabled endpoints can execute privileged operations or modify external systems if abused).
- Availability: Medium (Resource exhaustion due to malicious computational requests, such as cryptocurrency mining or large disinformation campaigns).
## Remediation
### Patches
- N/A for the exposure issue; this is primarily a configuration vulnerability. Consult Ollama documentation for the latest installation best practices. (No specific patch listed as the issue is user deployment setting).
### Workarounds
1. **Immediate Configuration Change:** Ensure Ollama is strictly configured to bind only to the localhost interface (`127.0.0.1`) unless required otherwise.
2. **Network Segmentation:** If public access is unavoidable, strictly limit access via host-based firewalls or security groups to only necessary, trusted IP ranges.
3. **Authentication Enforcement:** Implement robust authentication mechanisms for public-facing API endpoints, even if the Ollama framework itself may not natively enforce it strongly by default for local access.
## Detection
- Indicators of Compromise: Unusual or excessive compute utilization on hosts running LLMs; outbound network traffic requests to suspicious or unknown external APIs from the Ollama host; observed traffic patterns consistent with LLMjacking attacks (e.g., large volumes of data egress or repeated requests to sensitive services).
- Detection methods and tools: Use infrastructure scanning tools like Censys or Shodan to search for open ports (default 11434) associated with Ollama or LLM services. Network monitoring tools should watch for authentication failures or unauthenticated API calls directed at these endpoints.
## References
- SentinelOne/Censys Investigation Report: hxxps://www.sentinelone.com/labs/silent-brothers-ollama-hosts-form-anonymous-ai-network-beyond-platform-guardrails/
- Related News Report: hxxps://thehackernews.com/2026/01/researchers-find-175000-publicly.html