What Happened
Threat actors have exploited publicly accessible AI endpoints that lacked authentication controls. These endpoints—serving large language models, image generation systems, and other AI capabilities—were accessible over the internet without requiring credentials, API keys, or session tokens. Attackers used these exposed resources to hijack enterprise AI infrastructure for malicious purposes.
The core issue: organizations deployed AI services with the same security posture as internal development tools, then exposed them to the public internet.
Timeline
This pattern is common across organizations:
Initial deployment: Development teams set up AI endpoints for internal testing or proof-of-concept work. Authentication is deferred as "phase two."
Production migration: The endpoint moves to production infrastructure, but authentication remains unprioritized.
Discovery: Attackers scan for common AI service ports and paths. Tools like Shodan, Censys, and custom scanners identify endpoints responding on standard inference ports (often 8000, 8080, or 443 with predictable paths like /v1/chat/completions).
Exploitation: With direct access confirmed, attackers send requests to the endpoint. No credentials required. The system processes every request as legitimate.
Sustained abuse: Attackers use the compromised endpoints to generate phishing content, analyze stolen data, conduct reconnaissance against other targets, or simply rack up compute costs on someone else's infrastructure.
The time between deployment and discovery can be hours. The time between discovery and exploitation is typically zero—if an endpoint responds without authentication, it's already compromised.
Which Controls Failed or Were Missing
Network segmentation: AI endpoints were on public-facing networks with no firewall rules restricting access by source IP, network segment, or identity.
Authentication and authorization: The endpoints accepted and processed requests from any source. No API keys, no OAuth flows, no mutual TLS, no session management.
Input validation: Even when attackers sent malicious prompts or attempted prompt injection, the systems processed the requests without rate limiting or content filtering.
Monitoring and alerting: Organizations lacked visibility into who was accessing their AI endpoints. No logs captured source IPs, request patterns, or unusual usage spikes indicating unauthorized access.
Asset inventory: Security teams were unaware of these endpoints. They weren't in the CMDB, weren't part of vulnerability scans, and weren't included in access reviews.
What the Standards Require
PCI DSS v4.0.1 Requirement 1.4.2 mandates that inbound traffic from untrusted networks is restricted to only those protocols and services necessary for business. An AI endpoint serving internal development needs has no business accepting connections from the entire internet.
OWASP ASVS v4.0.3 Requirement 2.1.1 specifies that all authentication controls must fail securely. An endpoint with no authentication mechanism doesn't fail securely—it fails open, granting access to anyone who finds it.
ISO/IEC 27001:2022 Control 5.15 (identity and access management) requires that access to information and systems is restricted based on business requirements. "Anyone on the internet" is not a business requirement for AI inference endpoints.
NIST 800-53 Rev 5 AC-3 (Access Enforcement) states that systems must enforce approved authorizations for logical access. Without authentication, there's no authorization to enforce.
SOC 2 Type II CC6.1 (logical and physical access controls) requires that entities implement controls to prevent or detect unauthorized access. An endpoint that never asks for credentials can't detect unauthorized access—every request looks authorized.
The pattern across all frameworks: authentication isn't optional. If a system processes requests or returns data, it must verify the requestor's identity and authorization first.
Lessons and Action Items for Your Team
Inventory your AI endpoints now. Don't wait for your next quarterly asset review. Run a scan today:
- Check your cloud provider's service listings for AI/ML instances
- Search your container registries for LLM and inference images
- Query your API gateway logs for inference-related paths
- Ask your development teams what they deployed last quarter
Implement authentication before deployment. Your options, in order of preference:
- Mutual TLS for service-to-service communication
- OAuth 2.0 with short-lived tokens for user-facing applications
- API keys with rotation policies (minimum: rotate every 90 days)
- At minimum: HTTP Basic Auth with strong passwords (this is your floor, not your target)
Apply network controls immediately. For existing unauthenticated endpoints:
- Add firewall rules restricting access to known source IPs
- Move endpoints behind a VPN or private network
- Deploy a reverse proxy that enforces authentication before forwarding requests
- If the endpoint must be public, add rate limiting by source IP (start with 10 requests/minute)
Enable logging and monitoring. You need visibility into:
- Source IP and user agent for every request
- Request and response sizes (watch for data exfiltration)
- Error rates (failed authentication attempts)
- Usage patterns (requests per hour, tokens consumed)
Set alerts for:
- First-time source IPs accessing the endpoint
- Request volumes exceeding 2x your normal baseline
- Any requests from IP ranges outside your expected geography
Update your threat model. If you're running AI services, add these scenarios:
- Attacker uses your endpoint to generate phishing content targeting your customers
- Attacker extracts training data through carefully crafted prompts
- Attacker uses your compute resources to attack third parties (you become the infrastructure for their offensive operations)
Fix your deployment pipeline. Add these gates:
- Pre-deployment checklist: "Does this service require authentication? How is it enforced?"
- Automated scanning for endpoints listening on 0.0.0.0 or public IPs
- Required security review for any service that processes external input
The attackers who found these endpoints didn't need sophisticated techniques. They used basic network scanning tools and knew many organizations deploy AI services without authentication. Your job is to make your infrastructure secure—properly authenticated, monitored, and controlled. The exciting security incidents happen to teams who skip the essential work.



