Exposed Ollama servers are now autonomous hacking engines

Sysdig just caught an attacker using exposed Ollama servers as the reasoning engine for a fully autonomous hacking tool.

No CVE. No phishing. No stolen credentials.

Just an unauthenticated model server on port 11434 doing all the thinking while the tool scans targets, matches vulnerabilities, writes exploits, and breaks into environments.

The attacker built a complete offensive pipeline.

Service fingerprinting. Blind SQL injection. Privilege escalation. Credential extraction.

The model decides every step.

175,000 exposed Ollama instances exist right now. None require authentication.

The attacker's tool tried loading GPT-4o-mini, Claude 3.5, and Gemini 2.0 first. Then pointed at a free Ollama server instead. A drop-in replacement for metered inference.

The cost of running offensive AI just collapsed to zero.

Audit every self-hosted model server in your environment today. Treat exposed inference endpoints exactly like exposed databases. If port 11434 is reachable from the internet, you have an unattributed execution engine sitting in your network.