Attackers Hijack Exposed AI Endpoints to Power Offensive Ops

Cybersecurity Threats Leverage Exposed AI Endpoints with Alarming Ease

A growing number of attackers are exploiting exposed artificial intelligence (AI) endpoints, turning them into powerful tools for complex cyber operations. This alarming trend has come to light in recent months as researchers at Zenity have observed three distinct campaigns leveraging organization-owned AI agents for malicious activities. The disturbing reality is that these attacks don’t require a full-scale compromise; attackers simply need to know where the exposed endpoint is located.

At the heart of this issue lies the fact that many self-hosted AI software applications expose inference endpoints for other applications to call, essentially leaving them open to exploitation. These endpoints, such as Ollama’s “/api/generate” and LiteLLM’s “/v1/responses”, can be accessed without any special authentication. All an attacker needs is knowledge of the endpoint’s location and a way to configure their agent or client to use it as its model backend.

The three operators Zenity has identified are using this attack vector for different purposes. Two were autonomous penetration testing frameworks, Strix and HexStrike AI, while the third was an OpenAI Codex agent built to suppress safety refusals and assist in web reverse-engineering work. The ease with which these attackers can leverage exposed AI endpoints is a testament to the growing sophistication of cyber threats.

In one instance, a single IP source used a LiteLLM client to send a massive 140,000-character prompt to an Ollama endpoint, instructing the agent to “GO SUPER HARD on all targets”. The presence of persistent “retry” commands suggested that this was not just a test, but a potential live operation. Another attacker pointed their desktop LLM client at an Ollama instance and sent it a penetration testing orchestration servicer’s toolset, while a third IP source used an OpenAI Codex agent to conduct web reverse-engineering work under the persona of a security auditor.

The vulnerability here lies in how Ollama and LiteLLM handle authentication. Ollama ships with no built-in authentication on its default port, making it vulnerable to exploitation. LiteLLM’s authentication is opt-in, dependent on whether a user sets a master key, which can be easily targeted by attackers. Moreover, many organizations misconfigure their AI software, exposing it to the internet and creating an attack surface that is ripe for exploitation.

The takeaway from this alarming trend is clear: don’t expose your AI infrastructure or you risk turning it into a powerful tool for malicious actors. As Zenity’s chief technology officer Michael Bargury notes, “customers own their AI footprint when it comes to responsibility”, but vendors also have a role to play in securing their platforms and providing customers with secure defaults. By being aware of these vulnerabilities and taking steps to protect our AI infrastructure, we can prevent these attacks from succeeding.


Source: Dark Reading — 2026-06-30