Security researchers from various cybersecurity firms have discovered that AI infrastructure exposes over 1 million services from 2 million hosts due to weak default configurations.
The findings reveal that businesses moving rapidly to self-host large language model infrastructure are sacrificing security for speed, putting decades of software security progress at risk as companies rush to adopt AI technology and deliver more value faster.
Researchers used certificate transparency logs to identify approximately 2 million hosts with 1 million exposed services. The investigation found that AI infrastructure was more vulnerable, exposed and misconfigured than any other software category previously examined. A significant number of hosts had been deployed straight out of the box with no authentication in place because authentication simply is not enabled by default in many of these projects.
Security researchers discovered numerous chatbots that left user conversations exposed. More concerning were generic chatbots hosting a wide range of models including multimodal LLMs freely available to use without authentication. Malicious users can jailbreak most models to bypass safety guardrails, a technique where attackers craft prompts that sneak past or override built-in safeguards by playing with instructions, context or hidden tokens to produce content that is supposed to be off-limits.
CyberArk researchers demonstrated that jailbreaks can work across practically any text-based model using automated methods. Their open-source framework FuzzyAI uses fuzzing techniques to systematically test LLM security boundaries by generating and testing adversarial inputs against models. The tool applies over 15 attacking methods including passive history which frames sensitive information within legitimate research contexts, taxonomy-based paraphrasing using persuasive language techniques, and best of N which exploits prompt augmentations through repeated sampling.
Researchers discovered exposed instances of agent management platforms including n8n and Flowise. The investigation identified over 90 exposed instances across sectors including government, marketing and finance with all chatbots, workflows, prompts and outward access open to anyone. One of the more surprising findings was the sheer number of exposed Ollama APIs accessible without authentication. Of 5,200 servers queried, 31% answered without requiring credentials with 518 models wrapping well-known frontier models from Anthropic, Deepseek, Moonshot, Google and OpenAI.
After analyzing applications in a lab environment, researchers found repeated insecure patterns including poor deployment practices with insecure defaults and misconfigured Docker setups, no authentication on fresh installs dropping users straight into high-privilege accounts, hardcoded credentials embedded in setup examples, and new technical vulnerabilities including arbitrary code execution discovered within days. Some projects powering large language model infrastructure have abandoned decades of security best practices in favor of shipping fast.
