175,000 Exposed Ollama Hosts Raise Alarms Over Large-Scale LLM Abuse

Security researchers are warning that a rapidly expanding layer of open-source AI infrastructure is being left exposed at internet scale, creating new opportunities for abuse. A joint investigation by SentinelOne and Censys has identified roughly 175,000 publicly accessible Ollama hosts worldwide, many operating without authentication, monitoring, or basic safety controls.

The findings point to a growing blind spot as organisations and individuals rush to deploy local and self-hosted large language models. While these systems promise flexibility and cost savings, insecure configurations are now turning them into attractive assets for threat actors.

Global Exposure at Internet Scale

Researchers observed more than 7.23 million interactions with exposed Ollama instances over a 293-day period. The activity spanned 130 countries and 4,032 autonomous systems, illustrating how widely accessible these deployments have become.

Although approximately 175,000 hosts were identified overall, just 23,000 accounted for the majority of observed activity. This concentration suggests that a relatively small number of poorly secured systems are bearing the brunt of automated scanning and abuse.

Capabilities That Attract Abuse

Nearly half of the exposed hosts were found to support advanced functionality beyond basic text generation. These systems could execute code, access application programming interfaces, or interact with external services.

Such capabilities significantly raise the risk profile. When combined with a lack of authentication, they allow attackers to repurpose LLM infrastructure for spam generation, phishing content, disinformation campaigns, and automated prompt injection attacks at near-zero marginal cost.

A Small Subset Drives Most Activity

The analysis revealed that around 13% of identified hosts were transient but persistent, meaning they frequently appeared online and generated disproportionate traffic. Despite being a minority, these systems accounted for roughly 76% of all observed interactions.

From an attacker’s perspective, such hosts represent high-value targets. They offer reliable compute resources that can be abused repeatedly without the overhead of maintaining infrastructure.

Model-Level Risks and Prompt Injection

The exposed environments were often running popular open-source models, including Llama and Qwen variants. Researchers noted that these models are particularly susceptible to prompt injection when deployed without guardrails.

In unsecured configurations, attackers can manipulate prompts to bypass intended constraints, extract sensitive context, or coerce models into generating harmful outputs. At scale, this enables automated misuse that blends seamlessly into legitimate traffic.

Why This Matters for Defenders

The Ollama findings highlight how quickly AI infrastructure can become a new layer of shadow IT. Many deployments appear to be experimental or developer-driven, yet remain accessible long after initial testing.

For security teams, the challenge is visibility. Exposed LLM services may not resemble traditional servers or applications, making them easy to overlook during asset inventories and vulnerability scans.

Securing the Emerging AI Stack

Researchers stress that the risks are largely preventable. Basic measures such as authentication, network access controls, rate limiting, and logging would significantly reduce exposure.

As enterprises increasingly embed AI agents and local models into workflows, governance must extend beyond data and prompts to include the infrastructure that runs them. Without that shift, exposed LLM hosts risk becoming the next widely abused resource for low-cost, high-volume malicious campaigns.