As the software industry has evolved over recent decades to enhance product security, the rapid adoption of artificial intelligence (AI) threatens to undermine these advancements. Companies are rapidly implementing self-hosted large language model (LLM) infrastructures, driven by the potential of AI as a transformative tool and the urgency to increase productivity. However, this haste often compromises security measures.
A recent investigation by Intruder following the ClawdBot incident—a self-hosted AI assistant facing an alarmingly high rate of vulnerabilities—revealed significant flaws in AI infrastructure security. The ClawdBot, which has been reported to generate an average of 2.6 CVEs per day, initiated a deeper examination into potential vulnerabilities across this nascent space.
Utilizing certificate transparency logs, the research team uncovered over 2 million hosts and 1 million exposed services, painting a worrying picture of the security landscape. The findings indicated that the AI frameworks examined were not only more vulnerable but also more misconfigured than any previously analyzed software.
Authentication Gaps
The investigation uncovered a concerning trend: many systems were deployed with default settings that did not include any form of authentication. Examination of source codes showed that numerous projects lack authentication functionality enabled by default, leading to the exposure of sensitive user data.
This revelation poses serious risks, as both real user data and proprietary company tools are left vulnerable to malicious actors, leading to potential reputational harm and operational compromises.
For instance, chatbots, particularly those built with OpenUI, revealed the complete conversation histories of users—data that, while seemingly harmless, can provide critical insights in higher-stakes environments.
Moreover, generically available chatbots exhibit even larger vulnerabilities, enabling malicious users to bypass safety features and exploit these platforms for illegal activities like generating unauthorized content or schemes without impunity, often leveraging resources from vulnerable infrastructures. This trend has already resulted in recorded misuse of enterprise chatbots to access high-capability models without financial repercussions or traceability.
Instances also surfaced involving chatbots that exposed private explicit conversations, while some software inadvertently disclosed API keys in plaintext format, further elevating the risks associated with these unsecured infrastructures.
Exposed Management Platforms
Furthermore, several agent management platforms, such as n8n and Flowise, were found to be publicly accessible without necessary authentication. Some instances that were possibly intended for internal use were inadvertently left exposed to the internet. Notably, one Flowise instance leaked crucial business logic linked to an LLM chatbot service.
While one particular instance of Flowise ensured credential values were not visible to unauthenticated visitors, the interconnected nature of these platforms suggests that access to one bot could compromise multiple systems due to a lack of stringent access management controls.
The investigation also highlighted instances where exposed workflows and functionalities allowed for potential malicious exploits, including server-side code execution capabilities—an outcome facilitated by weak sandboxing practices.
Across various sectors including government, marketing, and finance, more than 90 instances of exposed systems were identified. Each of these bots, along with their workflows, prompts, and connections, were left vulnerable to modification, redirection, and data exposure, posing substantial risks to organizational integrity.
Unsecured APIs
In a particularly striking discovery, a large number of Ollama APIs were found to be accessible without authentication. Following a simple prompt such as “Hello,” it was determined that 31% of 5,200+ servers responded without requiring any credentials.
The implications of these responses raise significant concerns regarding potential misuse of AI capabilities for unethical practices. Instances revealed AI models offering unrestricted advice on health complications, operational tasks, and even emotional support—all without oversight. These models frequently interface with esteemed frameworks, further complicating the security landscape, as they could wrap high-capability models from industry leaders like OpenAI and Google.
Inherent Insecurities
This comprehensive review of AI infrastructures indicates a troubling trend of insecure design choices. Common vulnerabilities identified include insecure defaults and misconfigured deployment practices, such as the use of hardcoded credentials and applications running with elevated privileges. The lack of authentication on new installations often permits immediate high-access privileges to users, revealing issues that undermine established security protocols.
Moreover, the absence of robust access controls within AI tools exacerbates risks, particularly when threats can gain immediate access to multiple interconnected systems. As the potential for arbitrary code execution increases, the scope of compromise broadens significantly, necessitating urgent remediation measures.
The Need for Action
Current practices among LLM infrastructure providers appear to overlook foundational security principles in the race to innovate rapidly. Nonetheless, this is not solely a vendor-centric issue; the overarching pace of AI technology adoption and competitive market pressures render these vulnerabilities more acute.
Organizations must proactively assess their AI infrastructures before malicious actors exploit these gaps. Intruder specializes in identifying misconfigurations and can illuminate vulnerabilities visible externally.