Global Network of 175,000 Exposed Ollama AI Servers Raises Remote Code Execution Risks
Researchers have uncovered a vast, unmanaged network of 175,000 publicly exposed Ollama AI servers across 130 countries, posing severe remote code execution (RCE) risks. Over a 293-day scanning period, the analysis identified 7.23 million observations from unique hosts, revealing a decentralized yet highly active ecosystem.
A persistent core of 23,000 hosts drove most activity, while transient instances appeared and disappeared frequently. Nearly half of the exposed servers support tool-calling capabilities, enabling code execution, API access, and external system interactions fundamentally altering the threat model beyond basic text generation. Additionally, 22% of hosts include vision capabilities, allowing image-based prompt injection attacks via malicious files.
The infrastructure spans both cloud and residential networks, with 56% of hosts located on consumer ISPs and 32% on hyperscalers, complicating traditional security governance. Geographic concentrations were notable: Virginia (18%) led in the U.S., while Beijing (30%) dominated in China, alongside Shanghai and Guangdong (21%).
Model adoption showed striking uniformity, with Llama, Qwen2, and Gemma2 consistently ranking as the top three deployed families. Hardware constraints drove convergence toward 4-bit quantization formats (72% of hosts), increasing systemic fragility vulnerabilities in these models could impact a significant portion of the exposed ecosystem.
Key threat vectors include:
- Resource hijacking unauthenticated access to compute power for malicious activities like spam or disinformation.
- Prompt injection attacks exploiting tool-enabled models to extract sensitive data or execute unauthorized commands.
- Indirect prompt injection using malicious images to bypass bot defenses via residential IPs.
The decentralized nature of these deployments particularly on home networks complicates attribution and incident response, as security teams often lack legal or contractual access to mitigate threats. The findings underscore the need for authentication, monitoring, and network controls equivalent to those applied to traditional externally facing infrastructure.
Source: https://cyberpress.org/175k-exposed-ollama-hosts-allow-remote-code-execution/
Ollama cybersecurity rating report: https://www.rankiteo.com/company/ollama
"id": "OLL1769784240",
"linkid": "ollama",
"type": "Vulnerability",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Artificial Intelligence',
'location': '130 countries',
'name': 'Ollama AI Servers',
'size': '175,000 exposed servers',
'type': 'AI Infrastructure'}],
'attack_vector': ['Unauthenticated access',
'Prompt injection attacks',
'Indirect prompt injection via malicious images'],
'data_breach': {'data_exfiltration': 'Possible via tool-enabled models',
'file_types_exposed': ['Images (for indirect prompt '
'injection)'],
'sensitivity_of_data': 'High (potential PII or proprietary '
'data)',
'type_of_data_compromised': 'Sensitive data via prompt '
'injection attacks'},
'description': 'Researchers have uncovered a vast, unmanaged network of '
'175,000 publicly exposed Ollama AI servers across 130 '
'countries, posing severe remote code execution (RCE) risks. '
'Over a 293-day scanning period, the analysis identified 7.23 '
'million observations from unique hosts, revealing a '
'decentralized yet highly active ecosystem. Nearly half of the '
'exposed servers support tool-calling capabilities, enabling '
'code execution, API access, and external system interactions. '
'Additionally, 22% of hosts include vision capabilities, '
'allowing image-based prompt injection attacks via malicious '
'files. The infrastructure spans both cloud and residential '
'networks, complicating traditional security governance.',
'impact': {'data_compromised': 'Sensitive data extraction via prompt '
'injection attacks',
'operational_impact': 'Potential unauthorized use of compute power '
'for malicious activities (e.g., spam, '
'disinformation)',
'systems_affected': '175,000 publicly exposed Ollama AI servers'},
'initial_access_broker': {'reconnaissance_period': '293-day scanning period'},
'lessons_learned': 'The decentralized nature of these deployments, '
'particularly on home networks, complicates attribution '
'and incident response. Security teams often lack legal or '
'contractual access to mitigate threats. The findings '
'underscore the need for authentication, monitoring, and '
'network controls equivalent to those applied to '
'traditional externally facing infrastructure.',
'motivation': ['Resource hijacking',
'Data extraction',
'Unauthorized command execution'],
'post_incident_analysis': {'corrective_actions': ['Authentication '
'implementation',
'Enhanced monitoring',
'Network segmentation',
'Restriction of '
'tool-calling/vision '
'capabilities'],
'root_causes': ['Publicly exposed Ollama AI '
'servers without authentication',
'Lack of monitoring and network '
'controls',
'Decentralized deployment across '
'residential and cloud networks']},
'recommendations': ['Implement authentication for Ollama AI servers',
'Enhance monitoring and network controls',
'Apply security governance equivalent to traditional '
'infrastructure',
'Restrict tool-calling and vision capabilities where '
'unnecessary'],
'title': 'Global Network of 175,000 Exposed Ollama AI Servers Raises Remote '
'Code Execution Risks',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'Publicly exposed Ollama AI servers without '
'authentication or monitoring'}