Exposed AI Endpoints Hijacked for Offensive Operations Without Any Exploit
Between March and May 2026, Zenity researchers documented three separate campaigns in which attackers exploited publicly exposed Ollama and LiteLLM instances to run their own offensive AI operations, requiring no credentials or vulnerabilities. The attacks succeeded purely because default configurations left endpoints unauthenticated and reachable over the internet. In one case, a 140,000-character prompt directed an autonomous penetration-testing agent against a French auction house; in another, over 150 offensive security tools were staged on an exposed instance; a third used a fabricated 'security auditor' persona to bypass model safety guardrails. Because all malicious traffic originates from the victim's infrastructure, the owner's IP address becomes linked to the attack chain. Security researchers warn that AI infrastructure deployed with default settings must be hardened like any other internet-facing service, including mandatory authentication and restricted network exposure.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in