A new security investigation has revealed a large number of publicly accessible Ollama AI servers operating without proper safeguards across the internet. Researchers identified nearly 175000 exposed Ollama instances spread across 130 countries, creating what they describe as an unmanaged and high risk layer of AI computing infrastructure.
The findings come from a joint analysis by SentinelLABS, a cybersecurity firm, and an internet intelligence platform. These exposed Ollama servers were found running across cloud environments and residential networks, often outside standard security monitoring. China accounts for just over 30% of the exposed Ollama infrastructure, followed by the US, Germany, France, South Korea, India, Russia, Singapore, Brazil, and the UK. “Nearly half of observed hosts are configured with tool calling capabilities that enable them to execute code, access APIs, and interact with external systems, demonstrating the increasing implementation of LLMs into larger system processes,” said researchers Gabriel Bernadett Shapiro and Silas Cutler.
Ollama is an open source platform that allows users to run and manage large language models locally on Windows, macOS, and Linux systems. While Ollama is designed to run on a local address by default, a simple configuration change can expose it to the public internet. The study found that more than 48% of exposed Ollama servers advertised tool calling features, which allow AI models to interact with external systems and databases. “Tool calling capabilities fundamentally alter the threat model. A text generation endpoint can produce harmful content, but a tool enabled endpoint can execute privileged operations,” the researchers warned.
The analysis also identified Ollama servers running advanced capabilities such as reasoning and vision, with 201 instances using uncensored prompt templates that remove safety limits. This exposure leaves Ollama deployments vulnerable to LLMjacking, where attackers exploit AI infrastructure for spam campaigns, disinformation, cryptocurrency mining, or resale to other threat groups. A recent report confirmed active attacks under an operation known as Bizarre Bazaar. “This end to end operation – from reconnaissance to commercial resale – represents the first documented LLMjacking marketplace with complete attribution,” said researchers Eilon Cohen and Ariel Fogel. The findings highlight the growing need to secure Ollama deployments with strong authentication, monitoring, and network controls.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
